Looking for some input on best practices as it relates to permission management. The built-in permissions system is useful for hiding/showing certain applications from groups of users, but I often find I need more granular control - particularly with the introduction of multi-page apps.
For example, I have a multipage app to view and manage customers.
I have 2 permission groups - Customer Team and Support Team - both groups have permissions to use the multipage app 'Customer Management'
My initial challenge was that I only wanted Customer Team to be able to edit data on the pages - the Support Team needed only read-only access. I would simply do a check if current_user.groups contains Customer Team and enable the fields for editing if so.
This worked well until we onboarded many more users and many users didn't fall "nicely" into a specific group. An internal request was made that only some people on Customer Team should be able to edit data.
To solve for this, I am now setting a user attribute canEditCustomers to true/false on a per-user basis.
This works fine, but I'm not sure it's a very scalable solution. We're currently running 30+ multipage apps (each with a dozen pages) and I want to make sure I'm following best practices as we continue to build.
TLDR: I'm using permission groups to hide/show multipage apps to specific users, and then using user attributes to enable/disable specific pages and/or functionality on a per-user basis. Is this the best approach?