Data-specific permissions

[Chris]

I have an application to manage the various permissions of people and groups. Different people and groups have different subordinates that they can assign.

I'm using declarative_authorization and I'm curious if it has a feature for the following problem, or if the security-conscious folks here have a success as to how to go about solving this problem:

To assign a person to an application, for instance, someone in my delcarative_authorization DSL might have either the decl_auth-roles of "admin" or "access" with has_permission_to "create" and "delete" the model "role_assignments".

However, not just anybody can delete _any_ type of role_assignments, so the DSL specifying that their role can "delete" a "role_assignment" is not accurate. It depends on a few model-specific details, i.e. did they create it originally, or, are they part of a group that created it originally, etc.?

My best idea so far for fixing this issue is to create a before_save filter and place that sort of logic in there. Is that the best way to do this? Does declarative_authorization have a feature to help, or does somebody have a better idea?

Thanks guys!