Property-level access control
Management: easy to block or log ACLs
Prop-level access control: this is a WG decision from June
Roles are problematic, because roles become very programmatic. For example, you could have some kind of role/permission to state that “after the editor has edited the document, the individual marked as reviewer in such-and-such a database now has the role of reviewer for this document.
E.g. “lisadu” has role of “approver” on this expense item folder
This can be done without changling acls: two steps.
1. First look up who is the “approver” of the document or folder, or some other role stored as a property or looked up in a DB.
2. Then assign the rights on the object based on the look-up.