So my understanding of RBAC is that Users have Roles, and Roles have Permissions and there should be a Permission Object mapping.
I'm having a bit of a business logic problem though concerning RBAC. For this problem we have two Roles, Player and GM. I would like the GM to be able to grant read access to certain objects to Players. In theory I need to grant the GM Read permission as well.
Role | Permission ----------------- GM | read_place Player | read_place Object id | Permission ---------------------- 1 | read_place now both GM's and players could read object with id 1. But if I revoked the permisson on the object neither could.
Object id | Permission | Role ----------------------------------- 1 | read_place | GM this would allow only GMs to read object 1
Role | Permission ----------------- GM | gm_read_place Player | player_read_place Object id | Permission ----------------------------------- 1 | gm_read_place this would allow the gm's to read without players being able to unless the gm granted the permission to the object.
Both solutions feel dirty, am I missing something? is there a better solution?
