normalized group authentication method

mystrymaster

Alright here goes

I need an authentication system that will allow people to be.

In a branch

In a role

that in and of itself is farily simple however what I am struggling with is now I need to account for special cases

Basically if a normal member of Role A has access to documents 1,2,3
and
if a normal member of Role B has access to documents 4,5,6

Now how would I give user A access to document 5 without documents 4 and 6?

The second part of this

It's more complicated then simply document 1,2,3,4,5,6

It's more like module 1,2,3,4,5,6 and Each Module has maybe 3 -5 pages associated with it so my idea was to have a module table

Module
-----------
Id
name


Page
---------
Id
name


Module_group
--------------------
module_id
page_id

Can someone who has done this help a little bit?

pohopo

Either you create a new role with 1,2,3,5 or you allow people to have multiple roles and have a role C that only allows 5 then add role A and C to the user.

A proper entitlement structure should have roles and rights. A role would have 1 to many rights associated to it and all your entitlement code would be based on rights. This would make it easy to just create a new role and then associate the rights needed for that person. If you do not have this structure then you would have to update your code to recognize your new role.

mystrymaster

I am aware of the one to many thing but that seems like it may get huge if we have say 1000 employees

But the bigger question now would be then how to get each page to read from a module without I guess it would be hardcoding a module name on each page?