Authmanager And Access To Subset Of Items

Let’s say I have an online shop with products and product categories. I want to use RBAC because I’ll have several roles with quite different rights. One of these rights will be to edit products from a certain category.

In SQL terms this would look like "SELECT FROM products WHERE category = …"

The number of categories will be arbitrary and can change at any time (with new ones being introduced). Thus part of the right/AutorizationItem I assign to a user needs to be variable.

In my user management frontend I’d assign the user the right to edit products but limit it to 1…n categories.

Any ideas on what would be a good way to achieve this?