A shell report can model a simple entitlement check with scalar role, grant, and status values.

Program

Play the script to choose the role and inspect whether the grant is expected.

entitlement_status_report.sh
#!/usr/bin/env bash

role=
grant="deploy"
if [[ "$role" == "admin" ]]; then
    allowed="deploy read"
else
    allowed="read"
fi
if [[ " $allowed " == *" $grant "* ]]; then
    audit_status="expected"
else
    audit_status="unexpected"
fi
echo "$role grant=$grant status=$audit_status"
#!/usr/bin/env bash

role=
grant="deploy"
if [[ "$role" == "admin" ]]; then
    allowed="deploy read"
else
    allowed="read"
fi
if [[ " $allowed " == *" $grant "* ]]; then
    audit_status="expected"
else
    audit_status="unexpected"
fi
echo "$role grant=$grant status=$audit_status"
role policy The role chooses the permissions that are expected for the check.
grant comparison The membership test compares one grant against the role policy string.
audit status The final status calls out whether the grant matches the selected role.