Owner-Based Access Control (Dynamic Policies)

[tvanh3]

Currently, Manifest supports role-based access control (RBAC) using predefined roles like admin or user. However, there is no way to define ownership-based access, where a user can update only their own records (e.g., a user should only be able to update their own user entity, but an admin should be able to update all users).

Example:

entities:
  User:
    properties:
      - name
      - email
    policies:
      update:
        - { access: restricted, allow: [current_entity_owner, Admin] } 

[brunobuddy]

@tvanh3 I love the implementation

We are aware that RBAC does not include the concept of ownership and that this is critical for many applications. We will work on that soon.