I have the following objects:
Organization (parent)
---OrganizationRoles (child collection)
------OrganizationRole (child object)
Each Organization can have several roles (i.e., Issuer, Broker, Agent, Sponsor, etc.). Organization Administrators are authorized to add, edit and delete most of an Organization's roles. However, some of the roles must be managed by other administrators. For example, the Issuer role must be managed by an Issuer Administrator and the Agent role by an Agent Administrator.
Typically, I would control authorization to a child object through the CanCreateObject(), CanEditObject(), etc. methods. However, in the above case, I would need to implement instance-based authorization which would be driven by the role being created. This would make UI management somewhat cumbersome.
My question is...
Am I approaching this from the wrong direction? How are others approaching this type of problem?
I thought about adding properties to the Organization object (one for each role) because I can easily control authorization of each property. The problem, however, is that there are a large number of roles and more could be added over time.
Another thought was to break my OrganizationRoles into groups (e.g., IssuerRoleGroup, AdminRoleGroup, GeneralRoleGroup). But this seems a bit silly.
Any advise would be appreciated.
Copyright (c) Marimer LLC