...
Background
Current Object Models
| AccessRequirement (interface) |
|---|
| Long id |
| String createdOn |
| String modifiedOn |
| String createdBy |
| String modifiedBy |
| String concreteType |
| String etag |
| List<RestrictableObjectDescriptor> subjectIds |
| Long versionNumber |
| ACCESS_TYPE accessType |
Current APIs
- POST /accessRequirement
- GET /accessRequirement/{requirementId}
- PUT /accessRequirement/{requirementId}
- POST /entity/{id}/lockAccessRequirement
- GET /entity/{id}/accessRequirement
- GET /team/{id}/accessRequirement
...
Currently, each AccessRequirement can be applied to multiple subjects. Every time a subject is added or removed from the AccessRequirement, the AccessRequirement is updated. While Since applying an AccessRequirement to a subject is a relationship between AccessRequirement and subject, adding or removing subjects from AccessRequirement should only change the relationship between the subjects and the AccessRequirement, and do not update the AccessRequirement.
Also, changing this relationship may make the subject more or less accessible to users. The change should trigger a change message on the subject itself so that we can correctly authorize users' actions on the subject.