I am currently working on a REST API where we've traditionally indicated which fields are mandatory and which are optional in the response or DTO. This has been straightforward as each endpoint had a fixed set of mandatory and optional fields.
Now, we're introducing attribute or role-based access control (RBAC) or attribute access control (ABAC) on certain endpoints, and this approach no longer works. E.g. Each role can have a different set of mandatory and optional fields, making it challenging to maintain clear and consistent responses and DTOs.
For example:
We have 3 attributes in the response a,b,ca and c are mandatory and b is optional
Role A is allow to see attribute a, b but not c.Role B allow to see attribute c, b but not a.
Should be all attributes be optional?Additionally, in this example absent/null/optional is semantically the same in response.
My question is: What are the best practices for handling access control in REST APIs where mandatory and optional attributes can vary by access rules?
How can I maintain clear and user-friendly API documentation+response+DTO classes under these conditions?
Any best practices or examples would be beneficial.Even if more than one solution is certainly conceivable.