Yes, that should be fairly easy using the NodeTreePrivilege. For the moment this means that you need at least one Role per site though (we’re working on a “groups”-feature that allows you to add parameters to a role, so this won’t be needed in the future).
Given you have two sites “site1” and “site2” the Policy.yaml could look like:
privilegeTargets:
'TYPO3\Neos\Security\Authorization\Privilege\NodeTreePrivilege':
'Your.Site1:EditPrivilege':
matcher: 'isDescendantNodeOf("/sites/site1")'
'Your.Site2:EditPrivilege':
matcher: 'isDescendantNodeOf("/sites/site2")'
roles:
'Your.Site1:Editor':
privileges:
-
privilegeTarget: 'Your.Site1:EditPrivilege'
permission: GRANT
'Your.Site2:Editor':
privileges:
-
privilegeTarget: 'Your.Site2:EditPrivilege'
permission: GRANT
Now users with the role Your.Site1:Editor should have write access to all nodes of site1 and Your.Site2:Editor-users to nodes of site2 (untested).
Roles and privileges are an application-wide concept so they should be prepared by the developer/integrator via Policy.yaml. There are some concepts for a “Policy.yaml builder” (see RFC: Policy.yaml backend module for example) but usually this is something you don’t want to change during production!
However, with the “groups-feature” mentioned above it will be possible to specify certain parameters in the user module like user <foo> has role <editor> for site <site1> (see https://jira.neos.io/browse/FLOW-386 if you’re interested about details).