My requirement is to query list of operators based on some role? for example... give me list of all employees who are manager role.
Here is what i've tried, but doesn't work for me..
1. HaveRole, HavePriv... couldn't be used as these runs logged in user context.
2. can't rely on Index-AccessGroupRoles table as it wouldn't respect Access deny checks.
3. I think we can't just open the AG and iterate over pyUserRoles as this also may not repsect deny checks.
One option (could be not so great option) that may work here is make a REST/SOAP/HTTP request with the opertaor and use HaveRole, HavePriv and return response.. but this is not so good option....user need to use credentials of the operator ...it doesn't work well in real time scenarios... (my idea is to maintain table between operator roles or AG roles)
You are right that filtering out the access denies from a list of operators with a specific role is challenging. Since an access deny will apply conditionally there isn't a simple filter. What is the business problem you trying to solve by generating this list? Perhaps there is another way to solve it? Definitely, if you need a specific bit of data and don't know how to query the system for it in real time, storing it in a table when the operator is created/updated will work.
Thanks Mike for the response. yes, i agree with you on sovling this problem in multiple ways.
the business use case is " from a given organization/div/unit, lets pull operators (back office employees) having "X role, Y role and/or Z role" so that end user can use this information to assigned the work to right person.
Yes, I planned to maintain a table which get populated automatically whenever an operator is created/updated and evaluate the roles. I will use this table for querying purpose. I don't think roles will frequently change in any organization. So this shouldn't be problem in real time systems.