I need to support 2 authorization models in my app.
Users in my application will have “global roles” and then “resource-scoped roles”.
For instance, a user, that has the role of “viewer”, can access the “home screen” and then view all the resources of type “schema” in the organization to which they belong.
Role: viewer
Permissions: view_home_screen, view_all_schemas
This role is global.
But, at the same time, an administrator can assign a different role to them in the scope of the given resource. Say, I have an entity called “environment”. Within the instance of a particular environemnt entity, the user can be assigned the role of “environment-editor”.
Having the role of “environment-editor” on “environment” e1 gives them additional permissions. Now the user can edit e1 and do other operations on other entities within environment “e1”.
Then, at the same time, they could be assigned the role of “environment-manager” for environment “e2”. Resource-scoped role “environment-manager” adds additional permissions to “environment-editor”. Now they can also delete “e2” and also assign resource-scoped roles within “e2”.
I am wondering if I can implement those 2 models and whether they can peacefully co-exist.
Also, I would be needing an API that would fetch all the permissions for the user. Both global and resource-scoped.