Authorization in RHACS is role-based.

In most cases, access to a piece of data in RHACS is driven by the type of interaction involved by the access (read or write), a permission (touched functional area), and possibly an access scope (list of clusters and namespaces the role is granting action on).

The general access control pattern is now implemented deep in the store logic.

A handful of data stores require more complex access control patterns than the standard "One resource and an access scope drive the access control decision" one.

In order to cope with these exceptions, a concept of permission checker was introduced in the store architecture (database interaction layer). The permission checker performs some coarse grain checks on the permissions granted to the role of the requesting user, and some additional access control logic has to be implemented in the data-store layer.

The very concept of permission checker is not very flexible and does not bring much benefit as there has to be access control logic in the data-store layer. Considering there are only few data types that rely on them, it would be good to simplify the store layer.