Great question, Rares Pop, I am indeed overloading a single policy with multiple concerns. I like the idea of using multiple policies to better separate concerns, but attaching them to different roles may not work for the requirements laid out in the article.

I am essentially trying to define permissions that are item-specific, meaning items may demand different policies based on their attributes but all users should have the same policies enforced on them. If there were roles like admin or editor that had access to items irrespective of the ACL, a user-specific policy would be perfect for that case.

Another way smaller policies could be achieved is with verb-specific policies. Take the following policy attributes from my examples:

create policy item_owner
on items
as permissive
for all
to application_user

That for all could easily be broken out into four more interesting policies that define separate behaviors for insert, for update, etc. To take it a step further, leveragingpermissive andrestrictive policies allow us to design more complex AND/OR permission-based logic.

Let me know if you’ve stumbled upon something I still don’t see, I’d love to further improve upon my strategy!