The thing I am going to do now, based on your information, is to implement “Roles”, which both auth systems I mentioned implement, though ptirhiik calls his “presets” Now, remember each zone is separate, so each zone will have its own role, which is a predefined set of permissions. How trhis will work is I will set the permissions for a Zone, save it as a role, and then a role id will be attached to all permission entries for users which match the role’s permissions. Know that one user’s permissions entry takes up one row per zone. I will probably use an MD5 hash for matching. This will allow me to either: 1) have the system automatically find out what role the user is and set the role id, or 2) allow me to manually give users roles.

With this, it is almost like groups, since I can view/sort users by role and zone, and I can see who has permissions assigned by a common role, and who is “out in left field” with permissions which don’t match a role.

If every user has a unique set of permissions then user-based is the way to go. But I don’t think I have ever seen a system where literally every user has a set of permissions that are uniquely their own. Generally you create groups and assign permissions to groups. One group is called the “Everyone” group, and all users are in that group by default. An unregistered user is in the “Guest” group, and they have potentially different rights. And then there is the “Admin” group who owns the system. There’s your security system at its most basic level. Then you start adding new groups that have permissions or roles somewhere in between “Everyone” and “Admin” and those become your special groups.

Typically the folks in these groups are the exceptions rather than the rule. Meaning the percentage of people with special permissions should be less than 5% of your total user population. Don’t ask me where that number came from, I pulled it out of thin air.

I have to stop here or my anti-spam code is going to dump this comment to /dev/null

However, I have some doubts about how I designed it. For example, it completely removes the groups functionality. My site, as of now, has no groups at all. I am now unsure of whether this was the right thing to do or not.

The system works, but one of the features it is supposed to provide such as ‘global’ permissions are not functioning yet. One example of a global would be a user who can moderate all forums. I don’t have the part of the admin panel which allows me to actually aassign permissions to users finished yet, either.

Think about how phpBB works. When you click on a group, you can see the permissions for that group. You can use the user group control panel (groupcp.php) to see who is a member of that group. But without going into the database, can you easily determine which user has been granted permissions on a specific forum? Not really.

I do everything with groups, and it’s much easier to manage. I think that’s a fairly standard practice. Do you use individual user permissions? If so, do you find them easy to track and manage?