Part of my app contains employee entites with personal data. Users of my app will be team leaders and other managers working with the data of their respective team. What would be the best or a recommended way of securing the employee data? My current idea would be to introduce a new “scope” entity referencing to multiple employees (making up the permitted scope). Each user of the app (through a specialisation of the Administartion.Account) owns one of these scopes as part of his “user settings”. Admins (e.g. Human Resource) are the only ones with write permission on the scop entity, meaning they can change which employees a certain manager has access to. Access itself is done on entity level with XPath accessing the current user’s scope entity. Is this a good idea?
I would just use user roles for it: employee, manager and HR. Then entity access can be set based on this role. And you probably still need some organisational or project entity to attach employees, managers and HR to these entities. This way you can set the XPath that a manager can only see employees that belong to the same entity that he or she is attached to.