[2533219619] Upstream Reporter: mbmoon
Upstream issue status: Closed
Upstream description:

According to https://github.com/janus-idp/backstage-plugins/blob/a31020647ffcf210fc4d6434d6613aa0ecce71b7/plugins/rbac-backend/docs/conditions.md#conditional-policy-aliases I have put the following condition to conditional file:

---
result: CONDITIONAL
roleEntityRef: 'role:default/Group.Read2'
pluginId: catalog
resourceType: catalog-entity
permissionMapping:
  - read
conditions:
  rule: IS_ENTITY_OWNER
  resourceType: catalog-entity
  params:
    claims:
      - '$currentUser'

It works as expected when catalog item has

spec:
  lifecycle: experimental
  type: website
  owner: user:default/my_user_example_com

But when I use $ownerRefs for condition and for catalog Item use my group as owner - it doesn't return any catalog items.

---
result: CONDITIONAL
roleEntityRef: 'role:default/Group.Read2'
pluginId: catalog
resourceType: catalog-entity
permissionMapping:
  - read
conditions:
  rule: IS_ENTITY_OWNER
  resourceType: catalog-entity
  params:
    claims:
      - '$ownerRefs'

What is wrong? If I do something wrong - maybe you could provide more detailed documentation on how to use $ownerRefs'.

My expectation that I should see all catalog items that has the same owner as my parent group.