New ask Hacker News story: RBAC: Design for users belonging to multiple roles

RBAC: Design for users belonging to multiple roles
3 by udanisaloni | 0 comments on Hacker News.
We are designing Identity and Access management for our Application. We have different org using our app. Each org may have some sub orgs. Users belong to one or more sub orgs. A user can have different roles in each sub org. E.g a user U1 belong to Org O1 / Sub Org SB1 and Org O1 / Sub Org SB2. Now user can have Admin role in SB1 and Non-Admin role in SB2. Now when a U1 logins, user needs to select which sub org he wants to operate in and accordingly all roles will be fetched. In standard RBAC, we can link user to multiple roles but that will give user all permissions in all those roles. In our case we want to ties user to multiple roles but those roles exist in different contexts SB1 and SB2. So we do not want combined evaluation of permissions from both roles. Also we want to define permissions assigned to each role at one place only. Is there any proven extensible design to serve these kind of use cases?