How can an Subject only read and write to its owned objects?
It appears that in RBAC, a Subject creates a Session with an Active Role(s), these Roles are then used to determine what permissions and actions can be taken. This appears to be fine for most of our organization until you reach Subjects with the Customer Role. Customers should only be able to read things they own, as opposed to other roles which would have read/write (or whatever actions) on things of the same type.
I'm not sure how best to implement this using RBAC. Should the session also contain the Subject? A few references suggest no.
Note: it is possible I am being too purist, but I'm checking to see what I'm missing. I have considered the PostgreSQL route where a User is a Role, and then the active role in the session is the User. What are my options for restricting a role to only view things not by type but by ownership?
