I have built a database driven web application that has a user and group system that works in a similiar way that Linux handles user access.
Breif explanation:
A user can access various resources, the resources are assigned to a single group and users can have many groups.
Users
id name -- ------- 1 RedRanger 2 GreenRanger 3 BlueRanger
Group Assignment
user group ---- ----- 1 33 1 44 1 55 2 33 2 44 3 33 3 44 3 55 3 66
Group description
gid name --- ---- 33 user 44 things 55 stuff 66 foo
Resource
name group ---- ----- a 33 b 33 c 开发者_开发知识库 33 x 44 y 55 z 66
RedRanger can access a, b, c, x and y but not z
GreenRanger can only access a, b, c and x BlueRanger can access a, b, c, x, y and zLets say that RedRanger needs to be denied access to resource a
if I remove him from group 33 he can no longer access b or c which is no good.
The only alternative is to change a's group and add everyone else to the new group, this isn't so bad for 3 users, but what about 3,000?
If this situation occurs often there will soon be a mess of groups.
What is the best approach to this problem?
A resource should be able to "belong" to more than one group, rather than just one. This limitation really restricts the design.
You're part way towards a RBAC system; have a read over it and see how you could be a little bit more flexible for a better result.
It sounds like RedRanger
no longer fits role (group) 33
and a new role needs to be created with access to the features (resources) that fit this new role. 3 users vs. 3,000 users is just a matter of doing the change in an admin UI vs. a sweeping database update.
精彩评论