Designing a Contextual Role-Based Capability Control System

Update May 2: ScopedRole is now a PHP5.3 library based on this design and is passing initial unit tests!

After surveying a few permissions models that one might want to choose for an LMS, I think Moodle really got right the notion that role-based permissions should be flexible depending on the domain(s) the user’s in. Unfortunately Moodle’s implementation is completely bolted in, so I started looking around for a standalone implementation (few dependencies, no globals/state) of something similar.

For PHP dating back to 2002, phpGACL is designed and documented really well. It’s truly a drop-in solution with some advanced functionality, but doesn’t quite cover the concept of contextual roles, so it doesn’t quite cut it. What I’m imagining is something very similar but ideally without forcing a particular DB abstraction library on you.

Using the awesome WWW SQL Designer, I designed a bare-bones schema for the data:

Schema diagram for Contextal Role-Based Capability ControlThis is loosely based on Moodle’s schema, but I removed quite a lot, not only in hopes of getting it working quickly, but also because most implementers will have varying needs. E.g., implementers may need to localize role names and descriptions by language, so simple keys are all this schema is responsible for storing. I also removed special feature-related columns on the entities and link tables: the implementer is free to add columns as needed or just reference the id on each table. I’d imagine most folks dropping this into, e.g., a Zend Framework app just won’t need most of the features that Moodle had in there.

Also note it would come without a users table. The implementer will provides the system with unique integers for each user and that’s all it should need to do its job. You’re free to join the tables to create whatever views you need.

Any ideas for a catchier name than “Contextual Role-Based Capability Control System”? ScopedRole?

One thought on “Designing a Contextual Role-Based Capability Control System

  1. says:

    (after some sleep) You might need to store lots of special capabilities like “can view /resource/123”. When editing roles, you wouldn’t want those to show up in capability selection lists. One solution is to add a BIT column [capabilities][suitableForRole].

Leave a Reply