I'm coding a zend framework application using the the standard mvc paradigm with an added service layer to take care of application/business logic. It seems quite popular to put your access control into your services, rather than your modules/controllers/actions, however, I have only seen simple examples with static roles and permissions for those roles.
My application will be using a dynamic acl, allowing the admin user to add roles and set permissions on those roles. I have two questions:
- How do you map permissions in user land to that of services and methods in services? I don't believe it should be a 1:1 mapping. If your application is sufficiently large, you will have many services with many methods, and the permission structure will quickly become confusing for an end user setting permissions for a role.
- I have services that are global to the application and not specific to a module. How would you set permissions for those services based on the module that is accessed?
Any help would be greatly appreciated.