Merge EntityPrivilege with MethodPrivilege

dear all,

i got stuck with the policy to access my data, maybe my “workflow” is wrong …

  • i have a model Vehicle

  • i have user with a role Maintainer. They can modify via controller1 their own vehicles, or vehicles they got access to. the model has an array-field allowedEmails which is checked against the email of the logged in user. so i have an EntityPrivilege like
    matcher: ‘isType(“…\Model\Vehicle”) && !(property(“allowedEmails”).like(“context.myContext.emailpattern”)’
    So they just see “their” entities …

  • and i have user with the role Observer. they are allowed to view ALL vehicles via controller2

that’s working fine, but now i have a user who is Maintainer AND Observer, and he/she should get access to either ALL entities (via controller2) or HIS/HER entities (via controller1), so this would be a combination of MethodPrivilege and EntityPrivilege similar to ‘isType(“Vehicle”) && method(Controller1->indexAction()) && !(property(“allowedEmails”).contains(“myemail”))’

how to solve that? do i have to create an own CustomPrivilege-Class? does it help if i would split the scenario to 2 different hosts (admin.domain.com and observer.domain.com)???

any help would be appreciated!

ciao
H.