I have an API I want to expose to consumers that is currently secured via Azure AD. I have successfully configured an auth-code OAuth2 configuration, using an Angular application as the client and a .NET 5 WebAPI. I currently have roles configured, along with policies, to ensure that all users can access a Get method, and only a few others can use the upsert/delete methods. I'll be calling them 'widgets' here.
The issue I have is that I need to limit which widgets I return, based upon their permissions. These widgets all have a factory, along with a factoryId they were created in. There are plenty of cases where I'll need admins to be able to see all the widgets from all the factories, some users only be able see the widgets from the factory they work, and then a very small set of people who see no widgets at all via the get.
I could do this by creating a permissions table, manually searching this table based upon an authenticated name, and doing a join. This seems to be an inelegant solution. I am using roles, so, in theory, I could have a role per factory, but this will be a maintenance nightmare for hundreds of factories. Not to mention, I think there's a hard limit to how many roles I can put in. Especially if there's a supervisor, who is not an admin, but has rights to 50 factories. The security token would be huge.
What would be a good way to safely, securely, and efficiently secure an API like this?