I am planning to use Acegi in an application that has a need to split users in groups. I´ve noticed there seems to be some mixing in the terms 'group' and 'role', so this is what I think they mean:
- role: the user privileges to the system: this would be the administrator or the regular user roles;
- group: the group is a collection of users, possibly with the same roles, but working on different departments for example.
So, I could have two users with the role 'regular user', one of them being part of group 'department A' and another one being part of 'department B'.
The way it seems to me is that the 'role' tells the application wich transactions a given user can execute and the 'group' will help in the ACL control: for example, 2 regular users, one from department A and other one from department B, they both can access the transaction 'listCars', but they can only see the cars that belong to their group.
Given this, I understand that I could use Authorities to represent both 'role' and 'group' and that I would associate a given object indentity in the 'acl_permission' table with 2 records, one for the user who created the object and another one for the primary group the user belongs to.
Does anyone have a similar scenario and implemented something similar? This primary group would be something that would vary if the user has access to more than one application, so I am not sure I could have just one primary group (maybe I would have to have a 'chgrp' like function in my application....)
Thanks, both for any comments and for the great work in Acegi,