Best way to model per-resource/per-relation authorization

Hi Thiago @tcoraini

If I understood correctly your backend resource service needs to know both the role and permission to filter the right subset of data.

Ideally, the resource service should only know about permissions otherwise the benefit of the separation between permissions and roles is diminished. Both approaches in my mind are similar, so I would go for your option 2.

A more general way to solve this would be with what I call resource filters . See
Role assignment with resource filters . In this case your role would be Owner/Representer permission would be manage and filter would be some representation on how to filter the subset of resources for a Owner/Representer/other....

Hope that makes sense. Looks like we have similar use cases :slight_smile: