...
- A "role" is a collection of permissions. E>g. if the available permissions for an entity are Create, Read, Update and Delete, there might be an Editor role which includes Read and Update. To meet the data layer access requirements we propose to extend the current permission scheme:
1) Instead of defining permissions on an entity, we define permissions on a property within an entity;
2) Instead of granting individual permissions on an entity to a principal, we grant a role to a principal
So instead of <Principal, Entity, AccessType> we have <Principal, Entity, Role> where Role=<Property, AccessType>.
Under this model we can separately grant read access to a layer's basic properties (name, created date, description) and its location. Read access to a layer's location is the equivalent of download access.