// Permit the orchestrator principal to execute any node.
permit(
    principal == User::"orchestrator",
    action    == Action::"execute",
    resource  in ResourceGroup::"nodes"
);