Hi Ben,
I found your website with this excelent RBAC system. I'd like to implement it, but asking you if you could give a little help with the implamentation.

I'd like to have groups instead of users. This is not quite hard, but I'd also like to have a group parent-child relation. E.g. you have a company, and a group "workers". Then a group "section-a" is a child of "workers", and a group "room 1234" is a child of "section-a". A more specialized group has always priority for global group.

If "workers" may view a single object in a domain, and only room 1234 may edit that object, this room group has a higher priority. I thought about this database design:

rbac_group_has_roles (like your rbac_user_has_roles)

group
id (integer)
name (string)
parent_id (integer, pointing at another group id)

user_in_group
user_id (integer, pointing at a user id)
group_id (integer, pointing at a group_id)

But how can I check the influence of "higher" groups? I know something about database design and normalisation, but i'm absolutely bad in mentioning queries to fetch the right information out of the database. Is this possible with (my)SQL, or should I sending queries with php. E.g. you know a user is a member of a subgroup, do I need to send seperate queries for both groups and filter it with php?

Thanks for your help!!!

PS. I'll implement this (if the group-thing works) into my own content managment system: Damnsmall cms (currently only available in Dutch).