Suggestion regarding permissions & co

hi, since im not fully satisfied with all the permissions-systems out
i was wondering if there is another way to handle the whole thing. Based
my experience on what i have seen in bigger systems, permissions are
handled a bit different.
The Suggestion here (or my insanity) is coming from an ERP system which
needs to handle many tables for many users with many different
needs &
settings. im talking about
userX who can do that and (NOT) see that and so and so forth. So here
my suggestion as well with questions since im sure this is not fully

Lets assume we have something like a Sales-Order:

-belongs_to: Customer
-belongs_to: ShippingAgent
-belongs_to: ShippingMethod
-has_one: Comment
-has_one: ShippingComment

-belongs_to: SalesOrderHeader
-belongs_to: Stockkeepingunit
-belongs_to: Item
-belongs_to: ItemDiscountGroup
-qty: integer

as u can see, a basic SalesOrder(SO) consists of 2 basic tables. The
part are the associations & the permissions:

Suggestion A:

Having a ‘Security’-Table (call it whatever u want), holding this data:

  • name_of _the_table(or an ID id the models are somehow enumerated):
    (value: eg SalesOrderHeader)
  • can_create: boolean
  • can_read: boolean
  • can_delete: boolean
  • can_update: boolean
  • filter: string (a reegular (my)sql-statemnt) (Value: eg: where
    Customer.Name != ‘Sony’)
  • user_id
  • this gives the ability to set permissions for each user on what he
    do on that model, including a filter.
  • this would need to be done for each table / model defined by the
    association too
    q: just giving the user access to the salesorderheader would that be
    because of all the associations the user would need (to have(?)) access
    the related tables / models too, right!?

Suggestion B

Lets define a ‘virtual / verbal’ Permission-Model, eg:
“SalesOrder”.Obviously, we would need to store it somewhere too, so lets
the same, but a bit differentlty:

  • name: String (value: eg SalesOrder)
  • can_create: boolean
  • can_read: boolean
  • can_delete: boolean
  • can_update: boolean
  • filter: string (a reegular (my)sql-statemnt) (Value: eg: where
    Customer.Name != ‘Sony’)
  • user_id

by giving him access to that he gets access (wr?) to all associated
tables / models too. This needs to be stored too then. but then
else pops into my head: some people should be able to maintain basic
maindata and some not, which kinda redirects back to Suggestion A…

But maybe there is a way finding a merged solution out of both
Suggestions, havent really thought through the whole thing though.

i know this topic is a painful one, but def an important one, especially
when u look into erntperise-scaled apps.

Before i go further i would like to hear whatu guys think of “one cool”
solutions which “just” fits. maybe we can come up with somehting, if not

oh well.But i hope u guys got the drift.

regards tom

ps: forgot the other part: even if a user needs to have different
permissions on different SalesORder, that would basically be covered by
merged in Y-Table, which represents the “security”. but thats part2

why dont you like declarative authorization or cancan? i dont see why
cant do what you described with any of those