We’re close to start new project using sf2, and, probably, FosUserBundle.

Keeping that in mind – what’s the best strategy to define roles? App will be used by multiple divisions inside our company (every division has it’s manager and regular employees), as well as external users, that can be divided into 3 groups (for now).

I’m comming up with two possible solutions:

1. each role represents specific action in app, i.e.: adding new task action is described as task_new role. Selected users get this role to be able to add new task.

2. each role represents user ability and every action checks if user has this ability i.e.: when new task is being added, controller checks if current user has role task_access role.

I really somehow like approach to this problem in our current app – there’s one place where only admin has access granted, with list of all registered actions. Users are divided into about 10 groups and all you have to do is to check that this group has access to this action. In this case no code-juggling is required, but I’m afraid it will generate some limitations or roles overgrowing in new app.

What I’m really afraid of is spending too much time changing the security code in specific controller/action, I mean, when new user has to get access to specific place, I will have to go to the code, handle new role, code will grow, and so on. I want to keep this time as low as possible, and as flexible as possible.

I believe there are some great solutions to this problem. Am I right?