Quote:
Originally Posted by doubledub
Hello,
at a glance, the system you have built up seems very elegant and efficient. However, it is not clear to me if it can perform more 'item-specific' role administration. Let me try to explain what i mean.
Say you need to make a newspaper site, with dynamic categories and articles, and want be able to have both super-administrator and super-moderator role (which would be permitted to perform appropriate actions on global level), but also category administrator or category moderator, which would have same permissions as global roles, but only on local level (meaning, within a specific category). Is this rbac system designed with these capabilities, and how would they be implemented, or administered?
Thank you for the response in advance.
|
This is exactly what this RBAC can do. Each category is a 'domain' and each new newspaper edition is an 'object'.
What you would do is create a domain for each category you want and then when new editions of a newspaper come out you simply insert them into one (or many) categories.
The administrator and moderator would then have different privileges assigned to them. You could create a role for each category if you wanted to. Each role then has actions (or privileges) associated with it.
You may want to define a simple role that allows a user to 'read' each category. In other words you may have a subscription website in which you only want users to read categories they are subscribed to. A user can be subscribed to multiple categories, in which case the user will have multiple roles.
Hope this helps.