I am trying to build a rbac where i have Users, Organization, Collection1, Collection2 where the users have roles like "admin","expert","noob". an admin can give "expert" level access and an "expert" can give "nood" level access to users. Admin can write,read Organization, Collection1
Expert can read all and updated some fields in Collection1 and (Read the docs guess i need to store these fields in a separate SubCollection).
Noob can only read some fields in the assigned Doc from Collection1 and Collection2 but cannot edit anything.
By far i have accomplished this by creating SubCollection /OrganizationAccess /Collection1 /Collection2 where i create doc by uid and writing rules like
// Access to OrganizationAccess collection group match /{cpath=**}/OrganizationAccess/{accessId} { allow read: if request.auth != null; }
same for Collection1 and Collection2
All seems good... but what if i want to query or paginate OrganizationAccess,Collection1,Collection2
i cannot simply because that is not how firebase works i believe, This makes me question this approach. Please let me know if this needs modification or recommend a robust structure that has less data duplication and uses less get() calls in firebase rules. This question might be incomplete but i would appreciate if we all settle this once in for all.