This requires support in the RBAC layer for "business rules". When such is available, it provides you the touch of dynamic decision that is needed.
Basically, the biz rule is a piece of code that is being run every time the permission is checked. This code is static but expect parameters to be handed to it. Here's an example (PHP shown):
// This code expect two given parameters: $params['owner_id'] and $params['user_id']
if ($params['owner_id'] == $params['user_id']) {
return true;
}
return false;
// This code assumes that returning true means 'permission granted' and returning
// false means permission not granted
You didn't state your underlying technology. That could help you get more accurate answers.
