Database modeling and role based permissions


I would like to modelize multiple entities which will share the same way to:

  • handle permissions for CRUD operations based on a role
  • apply a view on data fields based on a role

Here is one of my entity. Currently all the fields are in a single entity named “Craftsman”.


I wonder if there is a right approach to manage that using the tools Strapi offers.

Shall I split this entity with one sub-entity by access role.
Then apply a policy on the route/graphQL operations, based on the role.
Doing this would multiply the number of table based on how many layers of roles I want. It would not be scalable in case I need to add later other roles. It seems wrong approach.

Some examples according to the given image of what I try to manage:
1- data accessible with a find/findOne:
admin can see […, ‘craftsman_monthly’] fields and also all the less restrive one [‘email’,‘IBAN’,‘personal_phone’][‘name’,‘description’,‘images’]
owner can see [‘email’,‘IBAN’,‘personal_phone’][‘name’,‘description’,‘images’]
with no role we can see [‘name’,‘description’,‘images’]

2- CRUD operations:
we can modify data only if we have enough sufficiant role. (admin > owner > no role)

I already saw lots of questions of the community about that and read multiple Strapi documentation guide. I’m still not sure about how putting some glue about everything:

  • overriding each entity controller to show/hide fields based on a role. I could group entity fields into Strapi components and then handle visiblity based on the role.
  • apply policy based on the role to restrict permissions on CRUD operations

I need to find an evolutive approach and be able to :

  • add more roles later without refactoring the whole datadabse
  • add more fields
  • have multiple entities which will share the same pattern

I’m on free plan but I will consider upgrading if it helps to solve the described situation.