To answer your first question, if a user has 'update' that is effectively the same as 'update:', the * is just not needed. If the user has 'update:party' then that would mean 'update:party:'. We define the most granular permission required when defining the permission for a piece of functionality. So, to update person information the permission would be defined as 'update:party:detail:$
'. The partyId would be expanded at runtime.
The user will need either:
Or if none of these permissions are associated with the user, then the DA logic kicks in to see if they are allowed to access the single party record.
1. 'update' means update anything in the entire system,
2. 'update:party' means update anything in the party app.
3. 'update:party:detail' means update any party's detail information (name, groupName, etc)
As for you second comment, I'd like to hear more about this. I'm not sure how that would look and what the definition of 'context' is in this case. But I'm happy to add something which are helpful! We can take this over to the dev list if you like.