How to write a policy to allow a manager to get a station with multiple managers?

[Leon0824]

Hi, I have two Pydantic models, Station and User:

class Station(BaseModel):
  id: PydanticObjectId
  name: str
  managers: list[PydanticObjectId] # List of User ObjectID

class User(BaseModel):
  id: PydanticObjectId
  username: str
  role: RoleEnum

s01_station = Station(id='S01', name='S01', managers=['U01', 'U02'])
u01_manager = User(id='U01', name='U01', role=RoleEnum.STATION_MANAGER')

I would like to define a policy to allow a manager to get stations which managers field includes the manager's user ID. But I can't make it happen.

My typical inquiry is:

allowed = guard.is_allowed(Inquiry(
  action=ActionEnum.GET_STATION,
  resource=s01_station.model_dump(), # `model_dump()` converts Pydantic model instance to an dict object
  subject=u01_manager.model_dump(),
))

What I did so far:

PolicyAllow(
  uid='P14',
  actions=[Eq(ActionEnum.GET_STATION)],
  resources=[Any()],
  subjects=[
    {'role': Eq(RoleEnum.STATION_MANAGER), 'id': ResourceIn()},
  ],
),

Can anyone help?