Myself and my colleagues are drafting up a model of the user privileges system we wish to use for a new project.
However, we have met some conflicts - namely I want to use "roles" for nothing more than a convenience feature for pre-determined roles that users can slot into when created, but maintain that the relationship is directly from users to rights.
Others want to use roles as the mainstay of the whole privilege system, i.e. users have roles, roles have rights, but the user object doesn't know that rights even exist. I have seen this on several occasions become not only chaotic in terms of the number of roles created, but also the role relation ship becomes superfluous as more and more roles pop-up with only one right/privilege.
What I'm trying to do is present the idea that having a many-to-many relationship between individual rights to users is more flexible and less chaotic than creating a user role, which can have many rights, and then maintain a many-to-many user role relationship. We will still use roles, but they will only be as preset templates, not as the concrete role the user will maintain (the admin will be able to update the privileges individually as well as pick roles at CRU(D) time.) There is one small impediment with this model, and that is searching for users with a particular role, but I explained this was just a case of searching for users that have matching privileges as those of the role(s) in question.
Now, I suck at presenting my ideas, always have. So I've been looking for any existing presentations or discussions or blogs or etc.. but unfortunately my google-fu is not good enough to get passed the 1,000's of results I am getting for "role model" when I search for "user role model" and was wondering if anyone knows of a nice blog or such that has a good discussion? Perhaps we can start one here?