Feature:
Role assignments with a resource filter
Description:
A group of users has role Device Operator
, but only for devices with classification of xyz
. In this case, I would like to store an opaque “filter string” with the assignment which is made available at the time of authorization (in a rule context or token).
Then the resource service can use this filter to further restrict which devices, a user in that group will be allowed to access.
from: Role assignment with resource filters
Use-case:
Implement a system where a role can be assigned to a user, but authorization is also subject to some properties of the resource being acted upon.