>
> Now here is the
> tricky part, a user can be an author for one department but an editor
> for another department, and if they are a departmental administrator,
> they inherit both author and editor permission as well as have the
> ability to add users to their department or change the roles of
> current users. Also, if you are a departmental administrator, editor,
> or author, then you can ONLY manage news stories related to your
> department. And of course there is the super user that can add
> departmental administrators. How would you recommend I set up Zend_Acl
> under this scenario? Please let me know if you need more information,
> given this is my first post and I'm new to Zend Framework, please go
> easy on me ;-)
>
I think the Zend_ACL stuff should be no problem for you. For your tricky
part I would just suggest making it as simple as possible. Multipe rules for
inhertiance sound great from a technical perspective and I'm sure you can
add logic to meet all those requirements, but you might want to verify with
your users and the people that will be managing these users that they can
understand the inheritance. I've found that the simpler you keep your rules
the less IT ends up doing the managing of the user accounts and the easier
it is to explain to the end users why they do/do not have access to specific
areas. We've done that in the past by just creating a specific role and
since users can have as many roles as they want, you just add whatever role
that has the correct permissions to them and remove whatever role they
should be in. The main point is that if you can't explain the to the end
user what role they need to do their job, you might be too complicated. I've
found that this mixed with a 'deny' permission (to override any other
permission granted from any other role) is about as complicated as I need to
get in most situations. Then the logic is pretty simple. just a do they have
this permission? Do they have a deny for this permission? and you're done.
There is a balance there of how unweildy so many roles can become, but it
doesn't sound you would have that problem.
I don't think from the ACL perspective that there is any difference between
a department and a role -- There are just roles with permissions on
resources that may be specific to a department.
--
View this message in context: http://www.nabble.com/Help-with-multiple-roles-tp19039466p19048298.html
Sent from the Zend Auth mailing list archive at Nabble.com.
没有评论:
发表评论