- A Permission is a granular activity-based access control
- Defined by "us" (developers)
- A Profile is a supported user identity type in the app
- Defined by us
- These are tracks we've built the app to be able to go down (eg, which dashboard to go to)
- A user may have roles in more than one profile
- Each Profile has "them"-generated (user generated) roles
- A Role is a group of permissions for a Profile
- The Permissions displayed are affected by the Role
- Defined by them
- A user may have more than one role per profile.
- A user has exactly one active profile (which has at least one role), but can switch profiles.
Profiles exist to answer questions related to which "type" of user the app is dealing with. Permissions exist to answer questions related to what access the user can have. (EG, Profile: "Should the user be routed to the admin or affiliate dashboard?" vs Permission: "What should they see and be able to edit once they are routed?") Roles exist to in service of making permissions manageable.
Without profiles, you end up with a set of faux permissions - "permissions" which really are just interested in who you are (eg, canSeeAdminDashboard and canSeeAffiliateDashboard are really just questions about who is using the app).
Without roles, every user is a one-off set of permissions. For example, If you're creating multiple users for managing invoices, you'd have to re-select exactly the same permissions for each user, including months later after you hire another person to manage invoices. Or, suppose for example a new invoice feature comes out later. You'd have to remember which users are doing invoice work, and update each of them with this new permission.
- can(Action, Subject)
Let's say you and I created an app that allows lawn care business owners to manage their work.
- Lawn Care Owners log in to create clients, create employees, assign jobs to employees, send invoices to their clients, and write monthly newsletters about lawn care tips to their clients.
- Lawn Care Workers log in to see their schedule.
- Clients log in to pay their invoices, and see past invoices.
- As part of an affiliate-system, Home owner associations can log in to see clients in their neighborhoods.
- Finally, Product marketing companies can log in to post ads to this app, since its free to the business owner.
Thus, we create these five Profiles:
- Lawn Care Administrator
- Lawn Care Worker
- Homeowner Association Rep
- Brand Rep
While, each profile is known and has special meaningful to us, roles are all user-generated and are never referenced or known in our code.
In the beginning, the owner makes one role for each. As you you may imagine as the business grows, the administrator would like to delegate his work: a manager to schedule clients and assign lawn care workers to them; a bookkeeper to see the paid/unpaid finances; a marketing intern to write up the newsletters. And so forth.
Lawn Care Worker
- Entry Level
- Team Lead
Homeowner Association Rep
- Trusted Partner
- Standard Homeowner Association Rep
- Demoing Brand Rep
- Paying Brand Rep
Most of the profiles now have multiple Roles.
A user may have multiple profiles: maybe a worker is doing the marketing emails; or the homeowner association rep is also a client; etc. And likewise, within a profile, a user may have multiple roles. In the beginning, there was just one administrator role. As the company grew, the owner split out all these hats he was wearing into the different roles. While the marketing intern only has the one role, the owner still has all the roles.
When a user with more than one profile logs in, they must choose which profile they wish to engage as.