如何区分业务规则和授权规则，细颗粒度授权如何建模，Zend/Acl, Zend/Rbac ？

Question

1）admin用户或者角色，可以create/edit/delete/等操作，public repository

2）只有i/me(作者)，可以 操作 crud， private repository

规则1，使用acl/rbac里面的role，就可以处理授权。

规则2， 这个时候如何授权？
把作者自己赋予一个角色？
其他方法？

这个问题的外文版本，大家可以看看。Coarse-grained vs. fine-grained access control – part I

http://www.webfarmr.eu/2011/0...

Role-based access control (RBAC): sometimes, though, it is not who you are but rather what role(s) you embody. For instance, a person might be allowed to open a door. That right (or permission) is granted because that person has the role employee, not because of who they are. Typically, in RBAC, a user can have multiple roles to which different permissions can be granted. Take wordpress for instance, the popular blogging platform. WordPress lets users define roles and associate permissions to roles and then roles to users therefore transitively granting users permissions. But roles have their limits too. How do you express other conditions or parameters? What if you want to express a permission of the following form: “only employees can open the door between 9AM and 5PM”. With RBAC, you can express employee + open door. But you cannot really express the time constraint. In addition, what if you want employees who can only close doors? You would need to define employee_open and a employee_close role. This leads to role explosion.

“only employees can open the door between 9AM and 5PM”

这个问题随处可见： posts----author

rbac里面， user-----admin/member组------posts资源-----crud权限
EditPost操作，需要edit_post权限，这个时候如何授权？
edit_post权限， 只有admin组或者作者owner才能edit-article，这个时候用acl/rbac（特指ZendACL, ZendRbac）如何优雅地授权？
我当然明白要用assertion，但是这太麻烦了吧？

Answer 1

我都是：用户-组-组权限-权限 这样分的