views:

42

answers:

0

I've put together an ACL permissions system into my application and I'm now wondering about how best to use it, especially in regards to user groups. In it's simplest form, there will be several "role" groups ("admins", "editors", "users", etc) and all users will belong to one of these groups.

My question is: in your experience, is it better* to structure the ARO tree to have the most permissions at the top and remove them as you go down (1) or to have the least permissions at the top and add them as you go down (2).

(1):
- Admins          allow all
  - Editors       deny create, delete
    - Users       deny update

(2):
- Users           allow read
  - Editors       allow update
    - Admins      allow create, delete

What are the pros and cons of each?

related questions