> Yes, they offer an additional layer of granularity on permissions. The apps > I write use groups and role to limit acces to certain functionality. The > roles determine functional access to records, ie what the user can do with > them. The groups membership determines what records the user can see. E.g. But is this substantially different from just allowing "groups" to determine access to functionality, /and/ access to records, and letting the admin create different groups for different reasons? I guess I'm thinking of the way Active Directory works, which I've found, in my second life as a system administrator, to be both easy to grasp and extremely flexible/powerful. Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
