I'm working on a roles/permission system for my web app and I'm unsure quite how to structure this.
Briefly. Users can access a number of Projects. This is a Participation and, amongst other things, a Participation has a Profile with a number of Rights. So these are Rights specific to a User within a Project. A Participation also has a Type (Admin, Support, etc.).
A Profile is based on a Role. Roles (perhaps poorly named) are effectively standard Profiles with default rights configurations defined in advance by admins. When creating a new profile one selects a Role to act as a base and then, if needed, one adjusts the rights. Profiles aren't exclusive to one user.
So far, so good (or not! you tell me!)
Rights are grouped by context/subject. So for instance all rights to do with 'Project Tasks' are grouped together. I haven't modelled this because it's handled by the UI (not sure whether that's a bad thing).
Now my issue is as follows. Depending on the Participation Type, certain Rights are implicit and should not be disabled. So when creating a Role for a 'Support' Participation, the 'See my own support tickets' Right should be implied and either not shown, or shown disabled so that it cannot be changed. Whereas a different Participation Type can optionally assign this Right or not.
I've basically got a spreadsheet with Participant Type / Right = Can't apply, Can apply (Selected or not) & Always applies.
Any ideas/pointers as to how this can be modelled?
Many thanks,
AW
Aucun commentaire:
Enregistrer un commentaire