Hi All, We have the following scenario:
We have following resources: order(which has a location attribute), bill ( which has a location attribute)
We have the following contexts: location ( a location could be referenced in several administrative regions), administrative_region
We have this authz model: user, role(clerk, supervisor, etc...), permission and context (location or administrative region)
· A role can have several permission sets: order_read, order_write, bill_read, bill_write ( so the relationship would be a kind of role:clerk has permission:order_read)
· Then, we grant a specific role to a user, in a specific location or administrative region ( so the relationship would be user:elisa member of role:clerk in location:france)
Then we would need to check if:
user:elisa has order_read permission on location:france
user:elisa has order_read permission on administrative_region:europe
In a similar question, I got this answer:
definition user {}
definition region {
relation sales_manager: user
relation sales_clerk: user
relation accountant: user
...
permission order_read = sales_manager + accountant
}
If this a good approach? I mean, if my app has hundreds or permissions and roles, having all in the same definition?
And in case that multi tenancy is required, should it be hardcoded on the permission defintion (tenant1_order_read, tenant2_order_read)?