I'm considering security implementation for a payment solution. Our requirement is that User A privilege can create/write payment records. User B privilege cannot modify any payment elements except an Approval attribute and write to the payment entities notes; i.e., if they Deny the payment they can add a Note to the payment record.
Option 1: Create a separate entitiy for approvals and notes related to the payment
Option 2: Create a separate form on the payment entity on manage access to the data through the form
What are the pros/cons of affecting data access through form permissions vs. entity permissions?