I'm trying to incorporate auth logic into the ancestor objects whereby I just have to set some flags in the descendant pages for automatic authentication. But I'm a bit confused as to how to design the auth module. Do I authenticate each page or each table or each action (select/insert/delete/update) on each page/table? How do I go about authenticating a page-action if the page has multiple action buttons such as Add, Edit, Delete...? Is it better to store auth data in the database? If so, what tables do I need (users/groups...) and their structure?
first decide what "actions" you'd like each user "role" to be able to do.
the simplest form of authentication is to check when each page loads if the user has access to view the page. if not, an informational message is displayed instead of the page content.
you can of course take that further. you might store the flags as session variables but its good practice to store the flags in the database along with the user info. I don't find it appropriate to use database-level role security, instead I code that into the application layer.
essentially before placing a control (add, edit, delete) onto the page I would query the database to see if that control should be available to that user of not based on their assigned role.
I suspect that you'd divide your application into sections or categories, then for each determine if add, edit, or delete actions are appropriate to each role.
so start with the business case (application erquirements). the implementation logic follows.