The Fleet Tool is a sort of extranet, where each of our customers can see (only) their orders, and approve a detail on it.
To control access, I have these privilege sets:
- [Full Access]
- Client: the internal client users, with rights to all data
- Fleet Tool Manager: limited access to a set of layouts via WebDirect, to support a flow at the customer side. This person can approve an order.
- Fleet Tool Assistant: almost same access as the Fleet Tool Manager, except this person can only prepare an order, not approve
In Fleet Tool Manager & Assistent, I've limited access to order & linked records based on an expression
$$CustomerID = Order::CustomerID
The reason for the two privilege sets, is to distinguish the assistants from the managers when showing buttons on an Order detail layout: Manager can approve, Assistant cannot approve.
Now my question: while I'm enhancing the Fleet Tool solution, I'm adding tables, records, etc, and with the current approach I need to keep the 2 privileges exactly the same. That's cumbersome, and not how I perceive a security system.
What I want to do is:
- define a single set of access rules to the Fleet Tool (Privilege)
- have 2 variants, so I can distinguish the Manager from the Assistant
However, with Extended Privileges I cannot re-use the single Privilege set, since I'm linking an extended priv set to a priv set, not to a user.
What's a clean way to do this with one Privilege Set?