}

const sessionPolicyNameExtracted = policy.SessionPolicyName + "-extracted"

// IsAllowedServiceAccount - checks if the given service account is allowed to perform
// actions. The permission of the parent user is checked first
func (sys *IAMSys) IsAllowedServiceAccount(args policy.Args, parentUser string) bool {
	// Verify if the parent claim matches the parentUser.
	p, ok := args.Claims[parentClaim]