...
Add the permissions table, service, APIs, completely separate from existing security so they are completely functional;
Create bridge code so that organization memberships are mired in the permissions table (only needs to be one way);
Create bridge code so that role changes create the counterpart permissions (only needs to be one way);
Migrate all existing account roles to the new permissions tables;
Annotate our controllers with the new permissions;
Switch over external tools to use permissions apis rather than account APIs to manage permissions;
Remove roles and bridge code from accounts.
Multiple organization membership
Once we have a permissions table, we can implement accounts being in multiple organizations. The utility of this construct will be lessened (because people can be permitted to act directly against a study) but it may still be important for the futureInitially we modeled this as an object relationship in the database. I’m struggling to figure out why this can’t just be modeled in the permissions table. The value of organizations is also decreased since it’s just a construct to limit who you can see working in an app (which we must to support studies as isolated tenants in a single app). However if we need to, we can introduce a Membership associative table between Accounts and Organizations.