...
- A "role" is a collection of permissions. E>gE.g. if the available permissions for an entity are Create, Read, Update and Delete, there might be an Editor role which includes Read and Update. To meet the data layer access requirements we propose to extend the current permission scheme:
1) Instead of defining permissions on an entity, we define permissions on a property within an entity;
...
So instead of ACL=<Entity, {<Principal, AccessType>Permission>}> (where "{}" indicates a set and "<>" a tuple) we have ACL= <Entity, {<Principal, Role>}> where Role={<Property, AccessType>Permission}. (Q: Is a 'role' entity specific? How do we grant access to non-property aspects of an entity?)
...