Having permissions on an ancestor object (parent defined by business logic) grants the same permission to all descendant objects.
E.g. I'm an administrator for this team, so I can administrate only said team. Jennifer is an administrator for our entire department (comprised of 6 teams, including ours) and so can administrate our team (as well as the other 5). Phil is an administrator for the division, and so can administrate our entire department and 4 others.
Would you consider adding (say) an annotation that allows guardrail to know if an object is a "parent" of another object? So we simply have to say I have administrate permission on our team object; Jennifer has administrate permission on the relevant department object, and Phil has said permission on the relevant division object?
Having permissions on an ancestor object (parent defined by business logic) grants the same permission to all descendant objects.
E.g. I'm an administrator for this team, so I can administrate only said team. Jennifer is an administrator for our entire department (comprised of 6 teams, including ours) and so can administrate our team (as well as the other 5). Phil is an administrator for the division, and so can administrate our entire department and 4 others.
Would you consider adding (say) an annotation that allows guardrail to know if an object is a "parent" of another object? So we simply have to say I have administrate permission on our team object; Jennifer has administrate permission on the relevant department object, and Phil has said permission on the relevant division object?