Response Inline: On Fri, Aug 19, 2016 at 3:05 PM, chambrenoire <[email protected]> wrote: > So store role-permissions as many role>permission rows rather than one > role>permissionsAsString row per role. > > But how does this change the problem of accumulating large numbers of role > > permission associations as when there are many user > project associations?
With what I am suggesting (and it is defiantly not the only way to to do this). Your users would not be directly associated with a permission, they would be associated with a role, and those roles would be associated with the permissions. How many projects do you have? a few thousand? or millions? How often are would the permission to role mapping be updated? if infrequent, and you have a manageable number, it would probably cache well. > > Other question: I assume that (by default) project:p1:write doesn't imply > project:p1:read? I would have to write my own code for such implications? Yes and no. Permissions are just strings, but if in your app write always implies read (common scenario), you have two options, either add two permissions to the role (read, and write), or assign a single 'project:p1:read,write' permission.
