I've started a (much needed) rewrite of the make-it-up-as-you-go-along Filemaker system I built over the past few years. One of the first things I plan to tackle is building a custom permissions system and was hoping to solicit some advice and experiences.
Two types of permissions are needed. The first are record permissions. There are many different tables in the solution and we want the ability to control who can Create, View, Edit, and Delete in each of these tables.
The second type of permission is a single value permission, most likely yes or no, but could be anything really, a number, etc. For example, my new UI is designed to work across the web, desktop, and iPad Pro. On the desktop we want certain users to have the ability to "pop" the current window out into a new window. These "power users" have no trouble managing multiple windows, whereas many of our less sophisticated users do. So, if the "allow pop out" permission is true, the user sees the Pop Out button. Otherwise it is hidden.
A few thoughts so far. Not all of this is working yet, but this is what I'm thinking...
I've currently designed the permissions as two tables. One table is the "Master Permissions" table. This table is essentially the template for each user. I can add permissions here as needed during the build out, then have scripts create/update the user permissions. Each record has a permission name, a variable name, and four permission fields (create, view, edit, delete). If the permission type is a record permission, all four permission fields are used. If the permission type is a single value permission, only the first field (create) is used.
When a user is added to the system, all records from the "Master Permissions" table are copied into the "User Permissions" table and assigned to the new user. At this point the Admin can adjust/set permissions as needed.
When the user logs in, permissions are stored as global variables (using the variable name defined in Master Permissions) for the session. For example, one of my record types is Contacts. The variable name is $$perm_contact. When the user logs in, a script loops through all user permissions and sets the variables:
$$perm_contact_create = 1
$$perm_contact_view = 1
$$perm_contact_edit = 0
$$perm_contact_delete = 0
Since we have a lot of different record types, a lot of global session variables will be created. Any thoughts on that? Another option is storing the permissions in global fields in the "Users" table, but variables seem better to me.
That's pretty much where I am now in my thinking. I'd very much appreciate any thoughts and suggestions at this early stage. Thanks!