Activity-based Authorization

A very good post: Don’t Do Role-Based Authorization Checks; Do Activity-Based Checks

Tables

User:UserID | Name
1 | Jamie
2 | Tom

Role:RoleID | Name
1 | Admin
2 | General
3 | Audit
4 | Manager

Activity:ActivityID | Name
1 | Read A
2 | Create A
3 | Delete A
4 | Update A
5 | Read User
6 | Delete User

UserToRole:UserID | RoleID
1 | 3
2 | 1

RoleToActivity: RoleID | ActivityID
1 | 1
1 | 2
1 | 3
1 | 4
1 | 5
1 | 6
2 | 1
4 | 1
4 | 5

Code

Check users activity rather than role. Create similar APIs like Ruby CanCanCan.

void Initial() // load activity list into a list
bool Can(Activity name) // verify if current user can do this activity
bool Cannot(Activity name) // !can