> In this mechanism, does a "role" differ significantly from a "group"?
> I have to admin a CRM system that has both roles /and/ groups, and it
> always seems a bit excessive. But maybe there's some benefit to roles,
> as such, that I'm not seeing.
> Thanks, Ben

As described, a "role" appears to act essentially the same as a "group" - a
predefined set of permissions that can be assigned to multiple users (as
opposed to a set of permissions unique to the user).  Correct me if there's
a better way, but I think individual permissions can be set similarly -
except skip the role/group step and associate the binary permission string
directly with the user.

Thinking outloud:

In your case where you're dealing with both individual permissions as well
as groups, you could do both of the above, but have the individual
permissions override the group.  You'd have to figure out a "third bit"
though, to act as a "no change" bit.  Ie: 0 = deny, 1 = allow, 2 = NC.  But,
that wouldn't allow you to convert and store the bit string in decimal.

So if group1 had a permission string of 1010, and user Joe was a member of
group1, but you wanted to take away the first bit's permission, and grant
the second bit, you could assign him the individual permission string of
0122 (deny, allow, NC, NC), resulting in his permissions being 0110.

You'd check it by checking the individual permissions first, and if the bit
(or digit in this case) were 2, then you would move on to checking the group

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to