The examples in the docs about RBAC, I don’t know if it’s top down or bottom up inheritance.
The docs use Admin and Author as examples. I think it’s top down, Admin can edit Author articles, but Author can’t edit Admin articles - I think. That would mean Admin gets all of the permissions of Author, but not the other way around, right? Or an example of what I’m thinking of.
We have User, Author, Editor, Developer, Admin. So would User be the root?
Looking at the tree like this it would make sense, but if top level inherits the permissions of the decedents it does not.
User
|- Developer
|- Admin
|- Editor
|- Author
or would User be assigned separately altogether?
Admin
|- Editor
|- Author
Developer
User
All are users and should get the User permissions. All Admins should also get Editor, and Author permissions, and obviously not all authors are editors. So the hierarchy is a little fuzzy to me in that regard.
I think it would be bottom up. From what I’ve researched (still confusing to me too) it seems that you make a “CanRead” action(?), and add it to the “User” role.
Then make "CanCreate, CanEditOwn" actions, then add "User" role and these two actions to the "Author" role.
Then make "CanEditAny, CanDeleteAny" action, then add "Author" role and these two actions to the "Admin" role.
Rereading your post, I would look at RBAC as inheritance: