The system I am developing has users with roles like entry, verify and approve. Each of these roles has different functions assigned to them. For example role entry has ApplicationEntry and ApplicationSearch functions, verify has AplicationVerify function ..and like that. When a user is asigned a role, he gets all the functions defined for that role. To handle this scenario, I have a user_role lookup table and a role_function lookup table.

Now sometimes this mapping need to be bypassed i.e. a user need to be assigned a function that belong to a different role. This is rare but should be present in the system. How can I implement this functionality without affecting the existing mapping? Thanks for any suggestion.

Create another role that encompasses the additional functions you need. Place your target user in both roles. Say you want to grant search for one specific area but don't want to give a user ALL of ApplicationSearch, create a "MySpecificSearchArea" role and assign the user to that instead. Then check if user has EITHER role when they attempt to look at MySpecificSearchArea.

Hi Teddy.thanks for the reply.

In that way I will have to create a new role everytime I need to bypass the mapping for a user. This system will be used in diferent offices and each office might choose to bypass the mapping in diferent ways. Say in one office one user having the Entry role might be assigned some functions of the Approve role. In another office one user having the Verify role might be assigned some functions of the Entry role. It is also possible after some time the extra functions can be taken back from that user.

So I would prefer to implement it in the database level without having to change any code.

Create a stand-alone role for each function. Assign users to functions as needed. If you want to get fancy you could allow roles to belong to roles. That makes the app code and data structure a lot more complex in exchange for the ability to create "custom" roles comprised of any number of functions without needing to change the code.

You'll probably get by just fine breaking out each "function" as a role and assigning them individually though. You can always charge extra if someone wants to create their own composite roles. ;o)