Struggling with permissions

Hi everyone,

In my organization, purchase requests are made by general employees and approved by department heads. Additionally, members of our resource department need to be able to read these requests.

We’ve got the workflow set up, but I can’t figure out how to make the permissions work correctly. For simplicity, assume the existence of three roles:

  1. Employee - read/write on their own Material Request, via role permission with “Only if Creator” checked
  2. Department Head - read/write on their department’s Material Request, via general role permission plus user permission limiting them to specific department
  3. Resource Head - read permission on all Material Request, no caveats

The problem that our Resource Head (who needs to be able to read everything) is also a Department Head (who needs to be able to write docs in their department).

It feels like there should be a simple way to set this up, but I’m completely stumped. Any advice?

Any thoughts or advice here?

The more I dig into this, the more I think that User Permissions are designed in a very problematic way, to the point of being confusing, limiting, and potentially dangerous.

I’ve made an issue for discussion on github. It’d be great to get some discussion going. This is a core part of the framework’s functionality.