Are there any access control approaches that allow customizing permissions (exclusion of a rule permission for a specific user - for RESTful webservice)?
Example:
Mary has the role of supervisor where she can create and edit posts, however I would like to remove the permission to create posts but keep the role of Mary's supervisor.
User: Mary
Role: supervisor
Permission: Create and Edit posts.
Intented: Mary is a supervisor and can't create posts.
Note: I don't want create two roles. The system administrator must be able to customize the roles and permissions (pre-defined) of the users. I would be grateful for suggestions of libraries in PHP.
What you need is a rule-based approach where you could define:
To do that, look into XACML or ALFA which do just that. I think there is a PHP XACML library