Hello guys,
I am looking for an advise here. I am trying to build a system which will be tenant application with organizations and users. Under each organization there will be a dossier for a visitor/patient. Under it there will be other different types of records. The organization will have an owner which will be granting access to the different users via records in the database. For example Owner1 adds User2 grating full access as internal over all records under that organization. Or Owner1 adds User2 as external user which will have access only to a single dossier.
The access should be checked each time a dossier is opened under that organization with the assigned access level. If such does not exist the current user will be routed away with error.
Eventually not all users will be granted access over all records but only to few. Also some users would only have read-only permissions without the option to create/edit/delete records.
That is a simple example of what the app is suppose to do. The problem i am having is - should i use Scopes for the granular access or i should just build my own approach which eventually would overlap the Scope functionality to certain level. Or maybe a mix of both - Scopes and custom rules?
To me if i have the organization_rules table which will have the allowed user along with the either resource(s) or full access then the scope for organization might be redundant considering upon creation that field will be populated when being saved. Then when pulling the record and checking the access if the user can read/write etc. then maybe it does not need scopes. Or maybe i don’t understand the scopes very well and my goal can be achieved with it.
Any help is welcome here.
