In my app I need to combine two different access control mechanisms that should work together: roles and statuses.
So a user can have different roles like admin, guest, teammember etc. This is already implemented by using Roles, role mappings and ACLs.
However now I need to add another access control mechanism: user statuses.
There can be about 10 different statues like trial, onboarding, beta, banned etc with different business logic for access control.
Users with different roles can have different statuses. One user can have only one status at the same time.
I'm trying to think of a way to implement such functionality and came to a thought that it could be implemented by adding the exact same mechanism as role but with a name status. So I would have a model called Status and a user model would have a field status_id, so that I will get a hasOne relationship and will not need a mapping model.
So the idea comes down to having another set of ACL rules along with the rules for roles that would look something like this:
{
model: '*',
property: 'some_model_method',
accessType: 'EXECUTE/READ/WRITE',
principalType: 'STATUS', // "STATUS" instead of "ROLE"
principalId: '$onboarded',
permission: 'ALLOW'
},
I haven't found any relevant information as for creating custom principalTypes but it feels like it should be possible.
However I'm not sure if this is the right approach to the problem. Is it scalable? Will it be easy to support such code in future? Is it flexible enough? Will I get the acl hell with this approach so that my acls lists will become huge for my models?
Or this all is just overcomplicating the problem and I only need another table called Status and a bunch of if-else statements in my code? Or maybe some sort of a state machine?
Honestly, multiple questions arise, so that's why I've decided to seek help from the community.
I need a piece of advice on how to implement such functionality when a user can have both role and status access control mechanisms.
How should I approach this problem architecturally in general and specifically in Loopback 3?
question from:
https://stackoverflow.com/questions/65921617/how-to-properly-manage-both-roles-and-statuses-as-acls-in-loopback 
