What is the best database schema to track role-based access controls for a web application?
I am using Rails, but the RBAC plugin linked by Google looks unmaintained (only 300 commits to SVN; latest was almost a year ago).
The concept is simple enough to implement from scratch, yet complex and important enough that it's worth getting right.
So how do others architect and implement their RBAC model?
To my rather basic knowledge in that area, the basic actors of an RBAC are:
Resources <- require -> (one or many) Permissions.
Roles <- are collections of -> (one or many) Permissions.
Users <- can have -> (one or many) Roles.
The tables for such a model would be:
Now you might want to include resources here as well if you want users of your application to be able to configure which permissions a resource need. But I never needed that. Hope that helps.