Enhancements to RBAC access control for user having ARTEX authorizations

Currently if we create a RBAC user with artexget and artexset permissions, he will be able to change any values of the system.
The answer given to the above behavior is that, the RBAC user with artex permissions cannot modify the file himself. Artex user is doing what his role allows him to do, which is execute that file. Values can be changed only by root user.
But as a RBAC user with artex permissions can create his own file and execute, and hence he can change any values of the system. It is security breatch, or access control issue. The documentation for the above scenario is also not available.

Currently the RBAC control is at command-level: If a RBAC user get the permission to run a RBAC command, she/he should have all the privileges to perform all the tasks that the command offers. The RBAC feature doesn't support the RBAC command at the data-level, or object-level, on which the command is running. For example, for rmdev command, we can assign a user to remove all devices using rmdev, but we cannot assign a user to remove only network devices using rmdev command (and the user cannot remove other kinds of devices, like, disks), in the current RBAC design.

This is a limitation of our RBAC design. To extend the RBAC access controls to the data/object level, enhancement to the RBAC framework is required.

At the meantime the enhancement to individual commands can be done, like artex, to limit who can modify the input files to the command, so that we can partially control what the user can do while running the command (assume that the tasks are defined in the input files). That may make the RBAC commands more secure in terms of access controlling, but that breaks the current behaviors of the RBAC command.