Conceptual Design Question

Hi All,
I am making a DAM (seems to be the hip thing to do these days). It is
for the company that I work for. We have some really weird domain
rules that have prevented me from just using a simple directory
structure file permission system. I have come up with a solution but I
wanted to run it by you gurus to ensure that I am not recompiling the
wheel here.

Basically the domain rule is:
A user should be able to access a category and the assets within the
category only if they have the appropriate permissions. There are
assets within a category, which can have different access rights
meaning having access to the root category does not mean that you have
access to all the files within.

Here is what I have laid out as a possible structure:

A user is a person who has access to the site. The content a user can
see, and the effects they have over it depend on their roles and
A user can:
â?¢ Have access to many categories
â?¢ Have many roles
â?¢ Belong to many user groups

A category is a specific area of the site where assets and other
categories are stored. Content managers can specify asset restrictions
for categories. For example, a category may only allow images under
five megabytes to be uploaded. By default, the category does not have
any restrictions on asset types.
A category can:
â?¢ Have many assets
â?¢ Be accessed by many users
â?¢ Be contained in many permission groups

An asset is any file uploaded into a category. While Assets can be any
digital file that can be stored on a computer, they are typically,
images, text documents or spreadsheets. An asset can have several
attributes, which a file owner can specify.
An asset can have:
â?¢ One owner
â?¢ Belong to many permission groups
â?¢ Belong to one category
â?¢ Can be marked as locked, which means another asset cannot overwrite it
â?¢ Can be marked as private, which means only the owner can see it
â?¢ Can be marked as archived, which means only user administrators can
see it

Permission Groups
A permission group is a collection of permissions tied to a central
group. Using permission groups a user admin can assign access to a
user by assigning them to a group rather than assigning them
permissions individually.
A permission group can have:
â?¢ One to many users
â?¢ One to many categories
â?¢ One to many assets

Is this a smart way to go about things?

Can ActiveRBAC do what you want?


I don’t know much about ActiveRBAC yet. I just started reading about it
week ago. I’ve read that it will be switching to an engine soon (James
even offered to help) and eventually ActiveRBAC would like to be

I’m hoping it is what I need for roles based authorization in the
store.rbopen source ecommerce project I am working on.

Maybe you could join the ActiveRBAC mailing list and ask questions
The author answers questions quickly.


So this is a framework for role based systems? It looks very young
(though not as young as mine considering it is paper-based at this
point). The idea of a Framework is really good, I guess I should have
considered that rather than the role your own approach.

Have you used this system before?
Thanks for the link,