User read rights

I have a query that is able to get some data through a reference from a neighboring entity. Through that reference, it should be able to get to some properties where the user doing the the query has rights to read them (as it concerns the user). The entity under which these properties are to be found, cannot be read by the user.

I have a model where a user with rights to see data for himself (as supplier), including purchase orders. These purchase orders have a reference to sales orders. The supplier can just query all customers and their sales orders, but he/she should be allowed to see some of the data of a sales order if the user has access to a purchase order that has a reference to it

Is it possible to set the rights like described above?

Earlier, I have tried setting read-rights for nodes under nodes without read-rights, but to my knowledge, that does not work.

Read permissions must and are inherited top/down. Otherwise it becomes really hard to reason about the permissions in play.

Maybe this could be made easier to introduce property permissions. In doing so, only some collection properties are readable, and it does not require to move all the other properties in a group node.

I don’t know for certain. But could a reference-set be used in permission expressions?

In this case, a reference-set could help. But you would still need to be able to set something open for reading underneath a part of the model that the user does not have access to.

What you are trying to achieve requires a rather expensive computation if you want to suppliers to be able to access Sales Orders. Instead of expressing a can-read condition for Sales Orders, you can derive data from the Sales Order on the Purchase Order such that the supplier can see it.

I was afraid that that would probably be the best solution. It seems a little incorrect to derive data to be able give certain users access to it. Luckily, the effect is not too big.