Role assignments with a resource filter
A group of users has role
Device Operator , but only for devices with classification of
xyz . In this case, I would like to store an opaque “filter string” with the assignment which is made available at the time of authorization (in a rule context or token).
Then the resource service can use this filter to further restrict which devices, a user in that group will be allowed to access.
Implement a system where a role can be assigned to a user, but authorization is also subject to some properties of the resource being acted upon.