// Test combining read and write permissions
            int readWrite = ACE.FILE_READ_DATA | ACE.FILE_WRITE_DATA;
            assertEquals(0x00000003, readWrite, "Combined read/write should be 0x00000003");

            // Test checking individual bits
            assertTrue((readWrite & ACE.FILE_READ_DATA) != 0, "Should contain FILE_READ_DATA bit");
            assertTrue((readWrite & ACE.FILE_WRITE_DATA) != 0, "Should contain FILE_WRITE_DATA bit");

Use [`mc admin policy`](https://docs.min.io/community/minio-object-store/reference/minio-mc-admin/mc-admin-policy.html) to create canned policies. Server provides a default set of canned policies namely `writeonly`, `readonly` and `readwrite` *(these policies apply to all resources on the server)*. These can be overridden by custom policies using `mc admin policy` command.

  - Edit the application
    - Copy `Client ID` and `Client secret`
    - Add your redirect url (callback url) to `Redirect URLs`
    - Save

- Go to Users
  - Edit the user
    - Add your MinIO policy (ex: `readwrite`) in `Tag`
    - Save

- Open your favorite browser and visit: **http://`CASDOOR_ENDPOINT`/.well-known/openid-configuration**, you will see the OIDC configure of Casdoor.

### Configure MinIO

```

   ]
  }
 ]
}`, bucket, bucket)

	// Check that default policies can be overwritten.
	err = s.adm.AddCannedPolicy(ctx, "readwrite", policyBytes)
	if err != nil {
		c.Fatalf("policy add error: %v", err)
	}

	info, err := s.adm.InfoCannedPolicy(ctx, "readwrite")
	if err != nil {
		c.Fatalf("policy info err: %v", err)
	}

	// Check that policy with comma is rejected.

"admin:TopLocksInfo","admin:OBDInfo","admin:BandwidthMonitor"],"Resource":["arn:aws:s3:::*"]}]},"readonly":{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:GetBucketLocation","s3:GetObject"],"Resource":["arn:aws:s3:::*"]}]},"readwrite":{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:*"],"Resource":["arn:aws:s3:::*"]}]},"writeonly":{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":["s3:PutObject"],"Resource":["arn:aws:s3:::*"]}]}}`,

...

    - This value is needed for `MINIO_IDENTITY_OPENID_CLIENT_SECRET` for MinIO.

- Go to Users
  - Click on the user
  - Attribute, add a new attribute `Key` is `policy`, `Value` is name of the `policy` on MinIO (ex: `readwrite`)
  - Add and Save

- Go to Clients
  - Click on `account`
  - Settings, set `Valid Redirect URIs` to `*`, expand `Advanced Settings` and set `Access Token Lifespan` to `1 Hours`
  - Save

- Go to Clients

MINIO_IDENTITY_OPENID_CLIENT_SECRET_APP2="minio-client-app-secret-2"
MINIO_IDENTITY_OPENID_SCOPES_APP2="openid,groups"
MINIO_IDENTITY_OPENID_REDIRECT_URI_APP2="http://127.0.0.1:10000/oauth_callback"
MINIO_IDENTITY_OPENID_ROLE_POLICY_APP2="readwrite"

```
</details>

<details><summary>Example 2: Single claim based provider</summary>

Sample environment variables:

```
MINIO_IDENTITY_OPENID_DISPLAY_NAME="my openid"

                .setLevel(Level.ERROR)
                .setMessage(new SimpleMessage("test message 3"))
                .build();

        LogEvent result1 = policy.rewrite(event1);
        LogEvent result2 = policy.rewrite(event2);
        LogEvent result3 = policy.rewrite(event3);

        assertEquals(Level.WARN, result1.getLevel());
        assertEquals(Level.WARN, result2.getLevel());

import org.apache.logging.log4j.core.appender.rewrite.RewritePolicy;
import org.apache.logging.log4j.core.config.plugins.Plugin;
import org.apache.logging.log4j.core.config.plugins.PluginAttribute;
import org.apache.logging.log4j.core.config.plugins.PluginFactory;
import org.apache.logging.log4j.core.impl.Log4jLogEvent;

/**
 * Log4j rewrite policy that converts ERROR level log events to WARN level for specified loggers.

     * Rewrites the query using the provided rewrite context.
     *
     * @param queryShardContext the query rewrite context
     * @return the rewritten query builder
     * @throws IOException if an I/O error occurs during rewriting
     */
    @Override
    public QueryBuilder rewrite(final QueryRewriteContext queryShardContext) throws IOException {
        return queryBuilder.rewrite(queryShardContext);
    }

    @Override