Permiss groups rather than individual users

Owned by Andrew Petro
Last updated: Nov 13, 2006Version comment
1 min read

Whenever you have an inclination to grant permissions to some paricular user, consider why you have this inclination. Likely you're reaching to give permissions to a user because that user fulfills some role. Instead of granting the permission directly to the user, create a Group representing the Role, grant the permissions to the Group, and then add the user to the group. This has the same net effect (granting permissions to the user) while leaving behind some literate artifacts as to why the user has these permissions. When another user steps into one of the roles of the currently privileged user, the workflow becomes one of adding the new user to the groups associated with the role.

Counterpoint: in small portal deployments with few administrative users, this formality can be overkill. If your project really is one of a couple administrive users serving as the "privileged few" and everyone else being "huddled masses", modeling all the roles of the "privileged few" may not be worthwhile. You might get by with just a "TrustedAdmin" group to which many (all?) permissions are granted. Or, really, you might get by with just directly granting a couple users lots of permissions. The complexity and management problem isn't helped much by introducing role groups in the case where it's only one or two users you're talking about anyway.