How do I correctly use Parse.Roles relationships for multiple Parse.Objects and Users over time?

Question

Most of the following is done with the parse-dashboard so it's a bit wordy, but I understand the code just not the relationships.

I'm setting Parse.Roles and it seems like each individual Parse.Object needs to have the Role set to have access to a given Parse.Object. For example, an Object ACL needs to contain both "Admin" and "Moderator" (with respective permissions) for Admins or Moderators to have access.

Since parent and child roles are possible, it would make sense to set a Parse.Object's ACL with the "Organization" Role, which is then further modified by the child Role. So, a "Viewer" within an "Organization" cannot Write, but an "Admin" within the "Organization" can Read/Write. I've tried multiple ways of doing this - associating one user to a "Viewer" and one to an "Admin" within an "Organization" but this does not seem to work.

My Current Solution: To manually/programmatically set each Parse.Object ACL with multiple pre-set Roles. E.g. Parse Class "Person" with ACL Roles "Viewer" & "Admin".

Question: If I want to create a different Role in the future for this same Organization, will I need to loop through each Parse.Object and manually set the new Role for each of the past Objects?

It would make sense that these relationships should be managed by the parent Organization so that this doesn't need to be done manually, but this doesn't seem to work.

Any answers, thoughts, or links are appreciated.

Answer 1

As you have mentioned, roles can have roles and inherit the privileges of their parent role.

Hence, if the new role applies to all objects of a class or a group of them, you don't need to loop through all parse objects.

I will give you an example:

Let's say you have a class named Posts.

• you have a role name viewer, and you have a role named editor.

• when you create a new post object, you add both roles viewer and editor as the ACL of the post object. For instance, the viewer role can only have read access and editor may have both read and write access.

For each organization:

• First you create a role name uniqueOrganizationName
• Then you add all users belong to that organization to uniqueOrganizationName users (relation).

Now, in the future, if you want to add all users of that organization to for instance editorRole, instead of adding editorRole to all user objects, you can add uniqueOrganizationName to editorRole roles. Now, all users of that organization can modify all posts. If you want some users of the organization to be able to edit the post, the you add those users to editorRole users.

Note: this approach is global. so the organization editors may edit all posts objects. If you want to limit the editors of an organization to only be able to edit posts belong that that organization:

• create two unique role for each organization viewUniqueOrganizationRole & editUniqueOrganizationRole.

Now, when you create a new post, depending on what organization that post belongs to, you add viewUniqueOrganizationRole && editUniqueOrganizationRole to the ACL of the post object.

• After this, you can add users' to viewUniqueOrganizationRole to be able to view posts belongs to that organization or you can add users to editUniqueOrganizationRole so they can edit your post.

I hope I could answer your question. This is a complex design.