Can I make ACL definitions that are specific to different applications existing on the same tenant/tag? Long story short, the two applications have different conventions of how they want to control access/display the same data. We could make this role specific, but then if a user has both roles this also defeats the purpose.
No because 2 applications running on the same tag are the SAME application. You need to solve this in the design of your application somehow.
I don’t think that there is a real user story like: “user a needs to only be allowed to see data x while on one page and data y on the other page” and if there is such a thing then it should be solved with application logic. ACLs are for implementing security requirements and what you’ve outlined is not a security requirement,.
“Application” is a term used loosely in C3. We do not have that concept in the code base. We have packages and tenant/tag. A package, along with all the dependent packages, is deployed to a tenant/tag. And everything on a tenant/tag, at any point in time, is equivalent to an application. In other words, a vanity url endpoint represents an application.
Keeping above in perspective, frame requirements and then, it will be clear what solution to suggest.
I’ll do my best at presenting an example of the problem in the most general terms:
There is AppA and AppB (two packages with the same url endpoint, but I get it, same “app” altogether when on the same tenant/tag)
UserRoleA for AppA should be able to see all of ExampleType (currently no restrictions defined)
UserRoleB for AppB should be limited to the ExampleType they are able to see (currently doing this with ACLs)
So by introducing the ACLs from AppB, UserRoleA is no longer functional. However, granting UserRoleA access to all ExampleType means that a user with both roles no longer has the intended functionality in AppB.
Sounds like a solution should come from some sort of data source filtering rather than ACLs?