I received an email the other day asking whether the RBAC system can be used to manage numerous articles, and whether it is possible to find out which articles a person is allowed to read the moment they log into a system.


The answer to both these questions is 'yes'.

An article is just an 'object'. You can group articles that belong to a certain category into a 'domain'.

Let say there are two types of articles. Ones that are for the public and others that are private (or sensitive.)
We can then create two domains named 'public articles' and 'private articles' and assign the various articles to them.

We then create a role called 'view public articles' that defines the privilige to 'view' 'public articles'.
Let's say we want to play it safe and make sure that the 'view public articles' role is not allowed to view 'private articles', so we add this requirement to the 'view public article' role. (We would only do this if there is a chance of making a mistake and assigning an already marked private article to the public domain.)

We then need to assign users to roles so that we can determine which users are allowed to read what.

Once this is done we can then find out which articles a person can read the moment they login with just one query.