We have a function on a type that the user needs to use. For example,
SomeType.someFunction(). The users are granted access to this in their role via
However, this function calls
SomeType.removeAll(filter) within it. The user receives a 403 error (upon calling the API
SomeType?action=someFunction) that they are
not authorized to access Target [tenant/tag/SomeType?action=removeAll], even though they are not directly calling that.
The user does not, and should not, have access to
SomeType.removeAll; the function they are using,
someFunction, does checks to make sure the filter includes only things that the user should be removing.
How to we make sure that the user is able to run
SomeType.someFunction without granting them