With Drupal 8, we received more powerful control over who can do what to a specific entity. The only downside is that this whole system does not apply at all to entity lists. The only exception being nodes (content), which still use the rather complex yet limited grants system. It's time we fix that and come up with a solution that works for all entities, all operations and still has decent performance.
Suppose you're building a Drupal Commerce website and you want to show an employee a list of products they are allowed to put on sale. Sounds simple, no? Well, the reality is that this type of list building is not supported by Drupal core. There is no "put on sale" operation nor is there a way to limit a query's results by access to said operation.
So why haven't we added this functionality to Drupal core yet? First and foremost because the problem space does not exist as clearly when it comes to nodes. The node grants system has proven to work rather well for many developers, even though it only supports three basic operations: view, edit and delete. Secondly, we have actually been trying to come up with a solution for almost a decade now.
This session will focus on the obstacles presented by the current system, how we can work around those obstacles for the time being and most importantly: What a feature complete system that works for all entities might look like. It will then go into detail on the up and downsides of the two most promising solutions to this problem.