Say you have a user object, an agent object and a building object.
- User is the contact owner of multiple agents
- Agent are linked to buildings
The user can only see all of his agents based on a relationship permission [ok]
The user can see all buildings (not just the ones linked to his agents) [not ok]
Is there a way to implement this correctly? Why are there just relationship based permissions for the user object and not for i.e. agent/building objects? I'd rather not end up implementing this by creating views (because I want it to work for api's as well).
Automatic inheritance of permissions is not available as a feature.
Rollbase defined strategy to deal with such cases is to restrict direct access to dependent objects. Buildings should only be accessible through the Agent record (access to which is controlled by the relationship based permission). This works for most use cases and a lot of customers are using this today. The assumption however is, the application is designed to not provide direct access to the dependent object.
Please raise an enhancement request to support relationship based permissions on dependent objects also.