Properly defining ACL rules for hyperledger-composer for inter resource access

Question

I have this structure in my model.cto file :

namespace org.gov.budget

asset Tax identified by Id{
  o String Id
  --> TaxPayer payer
  o Double amount
  o Integer year
  o Boolean processed
}

asset BudgetAccount identified by Id{
  o String Id
  o Double amount
}

participant Government identified by Id{
  o String Id
  --> BudgetAccount account
}

participant TaxPayer identified by PANID{
  o String PANID
  o String name
  o Double income
  o Integer taxSlab
}

transaction PayTax{
  -->Tax tax
  -->Government gov
}

Here is the implementation for the transaction.

async function payTax(tax){
  tax.tax.amount = tax.tax.payer.income*tax.tax.payer.taxSlab*0.05;
  tax.gov.account.amount+=tax.tax.amount;
  tax.tax.processed = true;
  let assetRegistry = await getAssetRegistry('org.gov.budget.BudgetAccount');
  await assetRegistry.update(tax.gov.account);
  assetRegistry = await getAssetRegistry('org.gov.budget.Tax');
  await assetRegistry.update(tax.tax);
}

Now when I try to submit the PayTax transaction logged in as a TaxPayer participant (not admin) I run into all these troubles that TaxPayer doesn't have READ access to the resources involved in the transaction. I had to add the below two rules inorder to remove the first READ access problem regarding Government entity say 'G1' but after this it's throwing an error saying TaxPayer doesn't have READ access to type BugdetAccount 'B1' that is linked to 'G1'. Will I need to provide read access for every individual asset/participant/type that are accessed within a composite type here as in BudgetAccount within Government? Doesn't it get very complex if there are a lot of composite entities linked with each other?

rule abc{
  description: "Grant business network administrators full access to system resources"
    participant: "org.gov.budget.TaxPayer"
    operation: READ
    resource: "org.hyperledger.composer.system.ParticipantRegistry"
    action: ALLOW
}

rule abc4{
  description: "Grant business network administrators full access to system resources"
    participant: "org.gov.budget.TaxPayer"
    operation: READ
    resource: "org.gov.budget.Government"
    action: ALLOW
}

Answer 1

Yes, Composer decentralization system is very tight, so you need to grant each participant permission with specific roles. It makes your network safe.

If you want to make a transaction for TaxPayer, you should grant the necessary rights to execute the transaction like: READ Tax, Government, UPDATE Government, Tax and CREATE Tax ...