Open sinqinc opened 7 years ago
very +1.
I find the module is very great, and the API is very interesting and lean.
But I'm struggling at making something dynamic and working for such a use case :
"Role 1 can view thatkindofresource" => ok "Role 1 can view thatkindofresource in thatorganization" => ko "Role 1 can view thatkindofresource in thatorganization and in thatgroup" => ko
We, similary, have a hierarchical design with organization, domains, group. And kind of admins for each level of hierarchy.
Facing the same issue, how did you solve it?
@bora89 I'm using the design I described in my first post. I create an new ACL with all the resources and permissions on every part of a Hierarchy. I'm also using addRoleParents to nest each ACL. I don't know if the design break some "rules" but it work well for my project.
Hi, I need some help in my project because i'm not sure if it's the way I should do it.
I have an API used by an APP to manage data.
The data is accessed that way :
I need to have that roles : global admin, organization admin (for each org), project admin (for each project), project user ( for each project).
Global admin can access all Organization Admin can do anything in his Org (Create ou/project/section/variable/value) Project admin can do anything in his project (create section/variable/value) Project User can only edit data in that project (edit value in each section of a project)
Since i am using the mongo backend should I need to create a resource for each path or I can just create a resource like '/' for the global admin ? I tried but it doesn't work.
I started to create a role for each organization/ou/project like that :
But it will create A LOT of roles and resources for each role since I need to add each sub resources. It could be nice to only match the beginning of the resource to create a resource like '/' that give access to all sub resources.
For the user I created a role like that :
and created a middleware to replace a part of the URL by "param1" to be able to match any section!
What should I do for each Admins ?