> > In this mechanism, does a "role" differ significantly from a "group"? > I have to admin a CRM system that has both roles /and/ groups, and it > always seems a bit excessive. But maybe there's some benefit to roles, > as such, that I'm not seeing. > > Thanks, Ben [JP] As described, a "role" appears to act essentially the same as a "group" - a predefined set of permissions that can be assigned to multiple users (as opposed to a set of permissions unique to the user). Correct me if there's a better way, but I think individual permissions can be set similarly - except skip the role/group step and associate the binary permission string directly with the user. Thinking outloud: In your case where you're dealing with both individual permissions as well as groups, you could do both of the above, but have the individual permissions override the group. You'd have to figure out a "third bit" though, to act as a "no change" bit. Ie: 0 = deny, 1 = allow, 2 = NC. But, that wouldn't allow you to convert and store the bit string in decimal. So if group1 had a permission string of 1010, and user Joe was a member of group1, but you wanted to take away the first bit's permission, and grant the second bit, you could assign him the individual permission string of 0122 (deny, allow, NC, NC), resulting in his permissions being 0110. You'd check it by checking the individual permissions first, and if the bit (or digit in this case) were 2, then you would move on to checking the group permissions. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
