So, we have the RBAC implementation that make us able to assign roles to users, and permissions to these roles. So far so good. However for our application, we need fine grained authorizations, that is, one role (here a client) can have permissions on specific resource but with further permission specifications (limits), on a per user basis.
For instance a client role can have permissions on domain feature but an user with that role can be limited to max 10 domains. My question here is how to build that on top of the RBAC implementation? How store and retrieve those permission specifications (constraints) on a per user basis? Should we first create a client role with minimum permissions, then a specific role (hierarchical roles) for the user with a subset of permissions to which we would add subset of constraints? I’m a bit lost…
Thank you for your help.