How to represent different application domains in an ACL?

Question

I am working on a web application where different user groups have different access to resources. So far nothing special I guess, but there is a caveat; the application is divided into "domains" so that each of our client organizations has their own content. Here I am using a simpler model to illustrate my problem.

Each domain has the same resource types, but each resource instance is connected to one domain only. Here is what it would look like with one domain:

Resources: stories, announcements

Roles:
    guest   // read only access
    root    // unlimited access 
    editor  // like guest, but with r/w access to resource "stories"
    admin   // r/w access to both resources

I have come up with two different approaches to implement this using Zend_Acl, the first is to simply use different ACLs for different domains, copying the above for each domain. The second is to use one ACL only and add new roles for each domain:

Domains: domain0, domain1, domain2

Roles:
    guest
    root
    editor-domain0
    editor-domain1
    editor-domain2
    admin-domain0
    admin-domain1
    admin-domain2

The second approach has the advantage that a user can be admin of one domain while being editor of another (might actually happen). But it also has the disadvantage that the roles are not static - we need to generate each time we add or remove a domain.

Are any of these approaches any good, or are there better ways of dealing with multiple domains?

Answer 1

Another solution could be to subclass Zend_Acl, more specifically the methods 'allow' and 'deny'.

Eg

allow($role, $action, $resource, $domain) {
 // parent::allow($role . '-' . $domain, $action, $resource);
}

It's not as simple as that but you get the idea.

I'm not sure about what you mean with resource instances, but I'll suggest it anyway: 'resource-domain', eg allow('admin', 'action', 'story-domain0').