Role Resolvers

Use Role.registerResolver() to set up a custom role handler in a boot script. This function takes two parameters:
String name of the role in question.
Function that determines if a principal is in the specified role. The function signature must be function(role, context, callback).
Example
module.exports = function(app) {
  var _ = require('underscore');
  var Role = app.models.Role;
  Role.registerResolver(adminForOrg, function(role, context, cb) {
    function reject(err) {
      if(err) {
        return cb(err);
      }
      cb(null, false);
    }
    if(context.modelName !== 'Organisation'){
      // return error if target model is not organisation
      return reject();
    }
    var currentUserId = context.accessToken.userId;
    var currentOrg = context.modelId;
    if(!currentUserId){
      // Do not allow unauthenticated users to proceed
      return reject();
    }
    if(!currentOrg){
      return reject();
    }
    else {
      app.models.User.findById(currentUserId, {include:
        {
          relation:'roles',
          scope : {
            fields: ['name'] // only include the role name and id
          }
        }
      })
      .then(function(userModelInstance){
       var isAdmin = _.findWhere(currentUserRoles,{name: 'orgAdmin'});
        if(!_.isEqual(userModelInstance.organisationId.toString(),currentOrg.toString()) || !isAdmin){
          return reject(); // reject if the user's org isn't the current org
        }
        else {
          return cb(null,true);
        }
      })
      .catch(function(error){
        cb(error);
      });
    }
  });
});
Define scope for Roles
Access Control For Tenants
Last updated last year