Saturday, July 26, 2008

Permission system design - Part1

I have been trying to implement a decent permission system in rails. there are many plugins out there. the most useful one " to my needs" was the authorization plug-in. I am trying to solve this issue in the context of ruby, and rails ; but ideally the design of a permission system is a general well known problem.
Let's take for example a system that has multiple modules, like for example, calendaring module and room reservation modules, there is multiple levels to the permissions that can be granted :
  1. Per module permissions : where a permissions are granted to users to create_calendars, or view_calendars. for the other module these could be like delete_reservations .. and so on.
  2. Per object permissions: where i wanna give permissions on a specific object or instance, like for example if we have a calendar called employees, and another called management, then i would like to give a permission edit_calendar on the employee calendar for the hr user, and an edit _calendar permission to the personal assistant of the manager on the manager's calendar.
  3. Per field permissions: for example i want to give the permission edit_calendar_name to only the administrator user. Note that this can level could work hand in hand with the previous point.
  4. Per object-user role permissions : Assume in a reservation you will have two roles, creator of the reservation, and guests. then I would give reservation_view_creator to a user A. this will then restrict the user to viewing only reservations to which he is the creator of . this as you can see is more of restriction rather than a permission. i.e : granting reservation_view_creator will limit the viewed items rather than increasing them.
  5. Now take everything i mentioned, and add to it user group based permissions. like in most system each user will have a role (admin, moderator, guest). so the permission system should understand if a user is part of a group that has a permission, she should inherit the permission too. also in point 4, the permission reservation_view_creator_group should allow users to view all reservations where they OR a person in their group ( role ) is the creator. this is related but not the same as number 5.
This is the problem domain and the solution is to follow.