# community

Ankit Khosla

09/23/2023, 12:49 PM
Hi all, I am building headless ecommerce and would like to allow the store manager to create custom permission assigned to their staff, which are based on predefined resources( order, inventory,sales). I am planning to have a resource policy per user, created by the API. Do you think it's a good approach? or is there any other approach you would like to suggest? Thanks!

Jesum Yip

09/23/2023, 12:51 PM

Andrew Haines (Cerbos)

09/26/2023, 8:14 AM
That seems like a good approach. You may wish to use scoped policies to have a set of "standard" permissions (in the root scope) and then an additional set of permissions on top of that in a
scope or similar. You could model it that the root scope policies grant all the permissions within the store, but the custom scope ones have deny rules to narrow the permissions of the staff to those granted by the store manager. An example of this sort of scoped setup is here.
👍 1