Need help with the following scenario for an app live in production:
The existing application has a root business unit (root) and several child business units (A,B,C,D etc). There are several security roles that when applied at the root level gives users access to all data, with variations of read, write, create, and delete privileges. There are also several security roles when applied at the child business unit level give variations of read, write, create, and delete privileges.
Users within the child business unit records submit records which are then reviewed in the model driven app and are either approved or rejected by their supervisor, who is also part of the child business unit. In the configuration record for the users who submit records to be reviewed, their supervisor is set in the record and this sets the managerial hierarchy in the backend.
Setting a supervisor of a submitter works so long as the supervisor is in the child business unit or is in the root business unit parent to the child. The issue comes when a supervisor needs to reject/approve for multiple submitters who exist in different child business units.
The idea is to create a new business unit parent to A and B and place the supervisor in this new business unit. This supervisor would also need a new security role with permission to view child business unit data. Current roles would expose data from other child business units which is not desired.
How would you approach this problem without re-architecting the whole security model of the app? I know this may be inevitable.
