I’m working on a security policy system design and I’m facing an existential question.
Some of the policies have a model-level scope that could be defined like so :
UserGroup x EntityType x AccessMode -> Boolean
Meantime, I want to have finer policies that opperate at data-level, to restrain users to access only specific instances.
UserGroup x Set<EntityType> x AccessMode -> Boolean
In one case, the policy is defined over a Data Model, in one other over Data.
I’m not especially familiar with security policies, is it a bad design to make cohabit two different kind of policies ? Or is it just a misunderstanding that I have, and they work seamlessly ?