I am working on a web application where different user groups have different access to resources. So far nothing special I guess, but there is a caveat; the application is divided into "domains" so that each of our client organizations has their own content. Here I am using a simpler model to illustrate my problem.
Each domain has the same resource types, but each resource instance is connected to one domain only. Here is what it would look like with one domain:
Resources: stories, announcements
Roles:
guest // read only access
root // unlimited access
editor // like guest, but with r/w access to resource "stories"
admin // r/w access to both resources
I have come up with two different approaches to implement this using Zend_Acl, the first is to simply use different ACLs for different domains, copying the above for each domain. The second is to use one ACL only and add new roles for each domain:
Domains: domain0, domain1, domain2
Roles:
guest
root
editor-domain0
editor-domain1
editor-domain2
admin-domain0
admin-domain1
admin-domain2
The second approach has the advantage that a user can be admin of one domain while being editor of another (might actually happen). But it also has the disadvantage that the roles are not static - we need to generate each time we add or remove a domain.
Are any of these approaches any good, or are there better ways of dealing with multiple domains?