If you require more flexibility, you can implement a custom permission policy. Each role can have its own permission policy or you can share an implementation across several roles. One common example involves hierarchical data structures such as corporate organization charts. A corporate division may want to create a role for division personnel to report against subordinate sites, which may themselves have subordinate reporting organizations. In these cases, it's appropriate for the division level personnel to see information relevant to its subordinate organizations all the way down the org chart, but not be able to see other division's data. In these cases, you can create a custom permissions policy class in Java.
Procedure 4.3. To use a custom permissions policy
Create a class that implements the interface
Click the custom permissions policy checkbox.
Enter the fully-qualified class name.
Figure 4.2. Custom Permissions Policy is set by selecting the checkbox and typing the full class name of the permissions policy class you created.
You must still give the role permission at the action, issue, and view level if applicable.
CustomModelPermissionPolicy interface implemented has three methods. The
getViewPermissionQueryContribution methods are used for read operations, while
applyCustomWritePermissions is used for write operations.
Here is an example of creating a custom permissions class. This particular example implements only View permissions, but more often you would implement all 3 methods.