What is the best design for security/permissions for portions of a website - data table wise?

Question

Concerning design:

1. Every user is part of a SOME group. (sales, parts, baseball players, whatever)
2. Every "web page" gets seen by a group of people. (sales + parts + joe in accounting who got special permission)
3. Every web page is usually part of a group of web pages on some level - you might try to keep these in some directory or start with some prefix but not always - ie when someone joins sales you don't want to have to specify - they get to see SalesPage1, SalesPage2, SalesPage3, SalesPartsPage1 etc.

Answer 1

Since "Every web page is usually part of a group of web pages..." it is probably best to act as if "Every web page is always part of a group of web pages..." - even if some groups will only have 1 member!

That simplifies your data model to:

Users ---> User Groups <-------> Page Groups <--- Pages

Answer 2

The easiest way is the following:

Users: contains your list of users, names, and id's

SecurityGroups: contains a list of security groups such as "Sales", "Marketing". (id, security group name)

Pages: Contains your list of pages (id, page name)

UserSecurityGroups: (userId, securityGroupId). Cross reference table of assigned rights

PageSecurityGroups: (pageId, securityGroupId, allowed). Cross reference table of security group membership that is allowed to access the page.

For each page load you would check to see if the PageSecurityGroups table for the specific page contained a group access that the user had.

Obviously, there could be more to this such as assigning a page to a specific user but you can extrapolate on this as necessary for you application.