I want to allow every user with a role to be granted access to all entities of a given type
-
Say I have a large number of entities called Equipment. I have an application with a role "Viewer". I want all users with that role to be granted access to all Equipment entities.
How can I do this?
--
FusionAuth - Auth for devs, built by devs.
https://fusionauth.io -
I'd use a webhook to provision/deprovision the grants.
https://fusionauth.io/docs/v1/tech/events-webhooks/events/user-registration-create-complete/ has the roles for the application, so in the webhook, you can call the FusionAuth grant API to create or revoke the grant.
For initial setup, run a script to get all the users that have a given role (using a user search query) and then grant them access to all the entities.
Think about what happens when a new piece of equipment is added. From what I gather, all users with the "viewer" role will need to be granted access to that equipment. You can take care that of within the 'new equipment added' script: provision the equipment, then add the grant to all users with the "viewer" role.
Depending on when you are going to check the grant and the number of users and pieces of equipment, this may be a good thing to use a queue like SQS for, to add/revoke/update grants asynchronously.
