How to restrict organisation access using RBAC
We have the following scenario: a shared service centre with users that should have access to multiple organisations. Additionally there are a number of customer organisations with users that should have access to only their own organisations. We are planning to use RBAC and to use a small number of responsibilities (to provide the menu path) and then a number of roles to grant permission to the appropriate functions and (hopefully) the appropriate organsiations.
Could someone outline how to do this? My reading on MOAC suggests that the organisation access is set through profiles at the responsibility level. This means that we have to create a responsibility for each individual organisation. This seems counter to one of the main purposes of RBAC which is to separate navigation (responsibility) from authorisation (permissions/grants). If the organisation access is allocated to a responsibility then we are linking the navigation to the permissions.