Group, users, roles, access control - best practise
807603Nov 26 2007 — edited Nov 27 2007I'm working on some multiuser web application, and I have some questions about user authorization. I'm thinking about two possible systems, and I don't know which is better:
a) A hardcoded set of roles in application. A user may be allowed to play one or more of them (This information will be stored in database) Each operation in system will have a role associated with it and in order to perform the operation the user must be allowed play that role. Application check this and if not permission is granted it gives an error.
b) Small group of roles, but new custom created object - user. This object may contain data, that will present this user rights in application. Each operation will just checked if user has right to access it. But there will be no special roles. User rights will be each time genreted form database, according to data and relations in schema.
Can anyone refer to me a good book or article to handle groups, users, roles, rights, permissions, etc.. for a software system, including database tables. Using google I've found acegi security. Now, I'm trying to learn it, but I would like more guidance. Which method will be better for acegi?
Mayby there is better idea?