Thanks for the feedback, I modified my design based on your comments and explained things a little better.
My response to your points
- 1. User and roles have a 1 to 1 relationship with in the context of a group. Therefore my thought is that it is easier for a newbie(and me) to connect how roles/users/permissions(at least to context) work. This might still need work for those 10,000 user sites.
2. In response to your comments I changed my thoughts on how loading the Access Polices would work:
Every time you select an Access Policy and then click load it will only check the checkboxes of the permissions in its policy and it would not uncheck others therefore it would allow multiple Access Policies. The Clear button would remove all checks from the permissions fields and the All Permissions would select everything for you.
3. Currently (if I understand correctly) every Context Access entry has only one Role assigned to it and only one Access Policy assigned to it per entry. Both in the GUI and in the DB. Inherited permissions would be set to readonly and marked visually to indicate that they are inherited. Once you hover over them it would tell you what role has that permission.
Technical – how to development it in the DB.
I would say keep the current structure on how everything works but just add a little to it.
Option 1: Add a new DB table – access_permission_defaults, with columns id, name, description, perm_type (like View, Add, Edit…), namespace (core or some extra) – then you could sort them in the table that is in the sketch.
Option 2: Add the perm_type and namespace columns to the existing access_permissions table. Then assign then to a Access Policy like All Perms.
Now the way I understand the DB every permission has to be tied to an Access Policy and that would get messy if you made a lot of little changes and each Role basically created an Access Policy. So I would suggest adding another column to the access_policies table something like visible with 1/0 values. All of these “created” Access Policies would be set to 0 and not show up in the GUI to select. This still allows those that wish to create custom Access Policy groups but the person that does not really understand how Access Policies relate to be able to see all of it on one page.