Well it sounds like you want global roles, and org specific roles. Although using only roles will keep your table smaller, I disagree with James about 'far less queries being run' though since the structure of Aro trees only requires 1 query whether based on a user or role. The benefit of performance would come from smaller index sizes. But regardless, if you want to avoid adding users to the Aro table, create a structure like;
Entire Site |- Org 1 | |-Org 1 Admin | |-Org 1 User |- Org 2 | |-Org 2 Admin | |-Org 2 User L Guests Then you can link each user to a role, in a separate table (Roles). Or if you already have a habtm relationship for Users <-> Organizations you can simply add an additional role_id column. id user_id org_id role_id So yes, your are understanding correctly. On Mar 24, 1:02 pm, mguthrie <[email protected]> wrote: > So if I understand you correctly: > > 1.) Create roles that are global across the system > 2.) Assign those roles to the ARO table > 3.) Then in my own separate tables store group information per > organization that assigns users to those roles. > > Am I understanding this correctly? If so that makes for a very > efficient solution. > > On Mar 24, 7:53 am, James K <[email protected]> wrote: > > > Unless you need the ability to have fine grained, unique permissions > > on a per-user basis, then I would avoid entering your users into the > > ARO table (like most ACL tutorials suggest). Instead add your roles to > > the ARO table. Then in your system logic, you can pull the user's role > > in a particular organization, then check against the ACL tables for > > that role to find out what that user should be able to do in that > > context. > > > This leaves your ACL tables MUCH lighter, far less queries need to be > > run against them as well. > > > - James > > > On Mar 23, 8:13 pm, mguthrie <[email protected]> wrote: > > > > I'm looking into CakePHP for developing an application that appears to > > > have some unique requirements. I'll try to break it down as simply as > > > I can: > > > > 1.) Users register with the site > > > 2.) A user can belong to one or more organizations (by invite only). > > > These organizations keep data specific to their organization that > > > isn't shared or publicly available to the rest of the organizations. > > > Think of a CRM where each user can belong to one or more organizations > > > that each manage their own customers in the same system. > > > 3.) A user needs to have different rights depending on the > > > organization. In one organization a user may be an administrator and > > > can do all things but in another they may only be able to view a > > > certain area belonging to that organization. > > > > Everything in the application is going to center around a user's > > > current organizational id. So in the backend there will be a lot of > > > filtering by organization ID. > > > > Can the CakePHP ACL give me that kind of flexibility? Can a user have > > > different rights to the same database tables depending on which > > > organization they are currently working as? > > > > This may be confusing so if anyone needs me to clarify please let me > > > know. > > > > Thanks. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
