> I remember building a project where we kept a mapping table of users to permissions for quick lookups, but man, it got messy with data updates.
Do you mean literally users to permissions?
Usually users map into groups, groups are subgroups of each other, and permissions are granted to groups.
So you can only see the financial data if you're in financial-report-preparers. Can Bob see the report? That depends on if he's an indirect or direct member of financial-report-preparers.
This is different from RBAC where Bob might have an admin or manager role directly. If he has admin access it's because he's a member of a certain group of employees that's a subgroup of another group of employees who all have admin access etc. similarly for groups of end users.
It would be a combinatorial explosion to try to enumerate the permissions of a given user. If people are having lot of syncing problems they may not have granular enough groups.
Do you mean literally users to permissions?
Usually users map into groups, groups are subgroups of each other, and permissions are granted to groups.
So you can only see the financial data if you're in financial-report-preparers. Can Bob see the report? That depends on if he's an indirect or direct member of financial-report-preparers.
This is different from RBAC where Bob might have an admin or manager role directly. If he has admin access it's because he's a member of a certain group of employees that's a subgroup of another group of employees who all have admin access etc. similarly for groups of end users.
It would be a combinatorial explosion to try to enumerate the permissions of a given user. If people are having lot of syncing problems they may not have granular enough groups.
Groups make it safe. Groups are best.