Idiomatic way to create attribute-specific policies
I'd like to create policies that describe which attributes an actor is allowed to CRUD, based on their attributes and other data in the model. Is there a way to do this without regard to the named action that is performing the operation? For example, I would like the attributes available for an employee record to differ based on whether the actor is themselves, an HR rep, a manager, their manager, etc. and have these policies enforced across all actions that touch those attributes.
Ideally, this would also be enforced transparently in the case that the attributes being requested are not explicitly specified. For example, if a user performs a bare read, they should simply get all—and only—the attributes that they have access to without error. If a user specifically requests a set of attributes containing a subset to which they do not have access, this should error out.
Ideally, this would also be enforced transparently in the case that the attributes being requested are not explicitly specified. For example, if a user performs a bare read, they should simply get all—and only—the attributes that they have access to without error. If a user specifically requests a set of attributes containing a subset to which they do not have access, this should error out.
