We should consider introducing a new authorization rules model.
Defining the authorization rules should be simple and natural and more importantly should work with any "secured resource". The "secured resource" could be any of the following: a web endpoint, an object instance, a method on an object instance, a group of object instances, etc.
We should also ensure that other 3rd party authorization libraries/frameworks can be plugged-in as extension implementations.
Related gh-13266
Comment From: rwinch
It might be useful for you to provide an example of where the current authorization is not working and what it might look like from a users perspective.