Roles with Parents and Scopes

Posting a question here for community input instead of the Roles Github, b/c the forums are fun.

Consider the following scenario: A multi-tenant app, where each tenant / entity can have multiple users and multiple roles – including custom roles.

The app itself has permissions to specific functionality – the CRUD stuff.

From what I can tell, there’s basically four levels to Roles:

  1. The user
  2. A parent role
  3. A child role
  4. A scope

Ideally, I could create a role named “user” for each tenant, then add a bunch of CRUD permissions (insert-document, manage-documents, etc) as roles and assign them all to the parent role of “user”.

I would repeat this for each tenant by using scopes.

Then in my app, I’m just checking if userIsInRoleAsync('insert-document', 'real-madrid') to find out if the user (currently in the “user” role for the tenant real-madrid) can insert documents.

Normally, it would be easy to just use “user” permission checks everywhere, but we have custom roles, which could have any combination of permissions. So we need another layer.

This was going smoothly until I found out that Roles.addRolesToParentAsync() doesn’t include a scope option, which means I can’t set the specific permissions limited to a specific tenant.

Am I missing something? This feels like a fairly normal use case, and yet I feel like I have to wedge roles, permissions, and entities in different ways and pull some of the permission checks out of Roles entirely to get it to work.

As always, thank you to the amazing Meteor community for your feedback and ideas!

A user can have multiple roles. Can’t you just assign the custom role to the user? Or is there anything specific which prevents that?

Another view:
In a tenancy environment almost all role checks use a scope. Why would you want to assign a scope when adding a role to a user?

You would never check on only the role? Having the role does not grant any access, only with a scope it would actually do something useful?