Hello, I am building an app with a relatively complicated authorization requirements.To give a basic summary of requirements - I am building an app to manage renovation projects on sets of buildings (i.e. rebranding efforts on bank branches, energy retrofits, etc).
When a user logs in, he or she will have access to projects they are a part of, and when they go to building list page, they will see all the buildings related to projects they are a part of. Other users may need to have access to individual buildings only (i.e. property managers, supers, architects). Also, I want to designate some users as administrators for their particular project, so they can manage user access to the buildings. On top of that, there are other pieces of functionality that I will want to enable / disable in the future (i.e. whether a user has workflow privileges, upload files, etc), or access to while areas of the site on per user basis. I am trying to figure out how to lay out my permissions. I am still getting familiar with SHIRO, but am thinking of modeling my permissions as WildCardPermission with: "Project ID or Name:DomainObjectName(Building, Program) :Operation(edit, create, workflow, etc):DomainInstanceID" I think by adding project name / id into my wildcard, that would allow me to authorize somebody to have, say, read access to all buildings in a specific project. Any time I create a new project, I could then create several roles for each project so they could be assigned to users, i.e. ProjectX_ADMIN, ProjectX_Viewer, ProjectX_Editor, etc. The admin would have permissions "ProectX:*:*:*" - all permissions for project X. Does the above make sense? Any feedback is welcome - I've seen a bunch of examples of restricting actions of a user based on their role, but it seems like I have another layer of complexity here. Thanks, Jean
