Configure permissions based on resource attribute without resource instance registration

I’ve a resource server that manages Devices. Device has attribute “geolocation_id”. There’re users that belong to specific geolocation and each user has “geolocation_id” attribute. I would like to define permission on “DeviceResource” (without registering all the devices) where the policy (probably js-type) checks if user.geolocation_id === resource.geolocation_id.
I don’t find a way to pass resource attributes on permissions evaluation. My thought was adding attribute “resource:geolocation_id” to the authorization context (from the resource service), but I’m not sure:

  1. if it’s the only and best option
  2. where to set this attribute on the context in the service
1 Like