09/16/2022, 5:02 PM
hello, I'm trying to model the concept of reusable roles. The idea would be to create a RBAC layer on top of ReBAC the following way: 1. users can be assigned to groups 2. groups can be assigned to roles 3. roles have a set of permissions related to the type
, but not to a specific object id 4. (to keep it simple) the
are related to groups the resolution would be that if a user belongs to a group assigned to the thing and at the same time belongs to a role with the requested permission then they are allowed. In my attempts to model this, I always end up with roles being assigned to a specific object id, making them non-reusable (i.e. multiple assigned need to be done to each object id, at which point groups become useless and users could be assigned directly to roles.