we're just trying to get the roles and permissions from the 4.1 up and running. One question therefore - is it possible to have some kind of conditional permissions for roles? For example, some information stored in a node is checked from an user and gets the status "approved". These nodes shouldn't get updated anymore from any user. Would be great if anyone could help us.
You could use label based access roles. For example instead of property status you can use a label "Unapproved" and "Approved". Give write permissions for UnApproved label and for the role and Read permissions for Approved label for the same role.
So, when you want to change the status, remove Unapproved label and add Approved label. The node becomes readonly automatically.
thank you very much! Could be a solution. We'll discuss this one, as the status of an approval is the easiest use-case for our permission checks.