We're building our API and looking for an organized way to grant users access based on what role and permission they have.
From the starting point, we have 3 roles
- Admin: can get and edit everything in his organization
- Team Admin: can get and edit only his team info and users' info
- User: can get any edit his own information
Entity
- Team
- User
For Security Filters:
- We're using JAX-RS with Security Roles and @RoleAllowed to filter access to resources
Id-based filter by if / then / else function. Example with a team admin access to a user.
function isAllowAccess(teamAdminId, userId) { allowedUserIdsList = queryfor(teamAdminId); if (userId in allowedUserIdsList) then ... else BAD_REQUEST }
This code is growing with the increase complexity of multiple roles and many entities. So my questions:
What will be the best way to have an organized id-based filter, is there reputable library for this?
Should we maintain a separate table containing accessible ids of each entity for each team_admin_id? Then every row updated or inserted will trigger the update of this table.
Is there a formal or widely acceptable method to reduce database call overhead in each call just to check if the team_admin is allowed to access a particular user?
