Hi Florian,
Thank you for the technical approach. I am sure I can make a workable solution using that.
However, on the topic of whether the approach is correct, I would disagree with you.
If I followed your suggestion, and created separate procedures (with definer rights) for different roles, then I am relying on the calling application to be role aware and invoke the correct functionality depending on the roles. In my mind, this is not advisable.
In many scenarios, it would be much preferred for the calling application to call generic services and let the services make the decision on what application role-specific logic to follow depending on the invoker's roles. Wether the conditional logic is applied at the xsjs level using $.session or at the procedure level using SESSION_USER/APPLICATION_USER with EFFECTIVE_PRIVILEGES would really depend on the logic being coded.
I will share a very simple example. Let's say you are building a service where you are creating purchase requests, and your application privilege would guide the dollar thresholds within which you can submit requests. In this case the invoked procedure would look up the thresholds and the assigned roles to make the determination of whether to allow or disallow the action.
thanks,
Nitin