diff --git a/catalog/permissions.json b/catalog/permissions.json index 82bc5ee..812ed68 100644 --- a/catalog/permissions.json +++ b/catalog/permissions.json @@ -285,13 +285,13 @@ }, { "name": "Email Sending Read", - "scope": "zone", + "scope": "account", "surfaces": ["sender_domain"], "profiles": ["read", "deploy", "full-operator"] }, { "name": "Email Sending Write", - "scope": "zone", + "scope": "account", "surfaces": ["sender_domain"], "profiles": ["deploy", "full-operator"] }, diff --git a/scripts/verify_static_contract.sh b/scripts/verify_static_contract.sh index 994e4c9..84ac6d3 100755 --- a/scripts/verify_static_contract.sh +++ b/scripts/verify_static_contract.sh @@ -303,7 +303,8 @@ assert_jq_file "permission profile minimality policy" ' and (.profiles["security-audit"].allowed_surfaces | index("zone.setting")) != null and (.permissions[] | select(.name == "Zone Settings Read" and .scope == "zone" and (.surfaces | index("zone.setting")) != null)) and (.permissions[] | select(.name == "Zone Settings Write" and .scope == "zone" and (.profiles | index("hostname")) != null)) - and (.permissions[] | select(.name == "Email Sending Write" and .scope == "zone" and (.surfaces | index("sender_domain")) != null and (.profiles | index("deploy")) != null)) + and (.permissions[] | select(.name == "Email Sending Read" and .scope == "account" and (.surfaces | index("sender_domain")) != null and (.profiles | index("deploy")) != null)) + and (.permissions[] | select(.name == "Email Sending Write" and .scope == "account" and (.surfaces | index("sender_domain")) != null and (.profiles | index("deploy")) != null)) and (.profiles.deploy.allowed_surfaces | index("audit.log")) != null and (.profiles.deploy.allowed_surfaces | index("wrangler")) != null and .profiles["full-operator"].allowed_surfaces == ["*"]