When designing user roles for the application I’d like to employ what I’d call additivity.
Let’s have a standard user
position, who has an access to a certain set of application roles to screens in read only mode. Now let’s introduce a manager user
position, who has access to the same set of screens as standard user
and some extra analytics screens.
The first position can be used as a user role. In case of the second position I could just define the extra analytics screens for a user role and assign to the user both user roles. The problem comes when we decide that manager user
should have some of the screens of standard user
in edit mode. If I declare the screen as editable in the second application role, still the first application role declaring the screen as read only takes precedence.
I propose that if there are two application roles, one declaring the screen as read only and the second declaring it editable, the result should be editable screen.