Implementation of instance specific roles?

[JoelGoh92]

Consider the case, where a doctor is assigned patients, and is from a specific hospital
e.g. Hospital_A->Doctor_A->Patient_A
, Hospital_A->Doctor_B->Patient_B
, and Hospital_C->Doctor_C->Patient_C

Doctors have permissions such that they are able to read all records from their assigned hospital, and update the medical record of their assigned patients

In this case, an instance of a doctor should be able to update ONLY the medical record of the patients he/she has been assigned to, i.e. Doctor_B is not allowed to access the records of other patients, e.g. Patient_A, but he can view the records of his assigned patient, Patient_B.

Furthermore, the queryset of patient records should be filtered based on the Hospital that the Doctors belong to. E.g. Doctors A and B can view records originating from Hospital_A, but not from Hospital_C

Is it then possible to implement this level of access control via the concept of Roles through this package?

Thanks

[filipeximenes]

Hey, sorry for the delay, was on vacation. How about object permission checkers https://django-role-permissions.readthedocs.io/en/stable/object_permissions.html ? Do you think this would suit your needs?

[JoelGoh92]

Thanks for the reply, I'll take a look into this to see if it can fit my use case

[JoelGoh92]

@filipeximenes Thanks for the recommendation. The object permission checkers were a good fit for my use case. I was able to utilize the checkers inside permission classes, which are mapped to the different usable HTTP specific methods present in the respective viewset.