02/07/2023, 10:58 AM
If there is a hierarchy of access e.g. basic_access, detailed_access, full_access, you can have inherited permissions i.e. full_access implies detailed_access, which implies basic_access. Of course, this also requires you to have 3 endpoints for the different info. ReBAC is optimised for answering can X see Y of Z, rather than answering which Ys of Z can X see.
The other option is for your endpoint to make the 3 checks and redact the info based on the responses