I am trying to come up with the best practice on how to set up roles for my controllers and actions.
We have a debate in our office. Should we give one role to the user and decorate our controllers and actions with a list开发者_运维百科 or roles, or viceversa, multiples roles to an user and have controllers/actions decorated with the minumum access role required?
In my experience, it has been better to allow a user to assume multiple roles. This is the most flexible approach, and it will avoid an explosion in the number of roles in the system, because different people often wear different hats within an organization. This also simplifies your controllers/actions because you only need at most one role per.
I think this depends entirely on what you want your users to be doing. Is a person in an admin role only going to be able to do admin type things or everything?
We had a similar issue come up and we decided to go with 4 different roles and assigned multiple roles to users based on what they needed access to.
精彩评论