[Catalyst] Authz: How granular to make roles?

[Jesse Sheidlower]

This is more of a philosophical question about how to handle
authz with roles, but is perhaps OT for Catalyst, I suppose.

I am converting an older app that had a very messy
authorization system. I have three different libraries, and
users were assigned a numerical access level to each one; a
"3" would be read-only access, "7" would be add or edit, etc.
(This is sort of arbitrary; I didn't actually use each
number.) For system-wide changes--user adding and editing, for
example--the original or "main" library rights were looked at,
so that a person with "9" access to this library could add
users.

I'm in the process of changing this over to a role-based
system, with the usual Cat modules for this.

However, I'm finding that there are various things for which
it seems crazy to create roles, but which nonetheless need
authz. So, for instance, I have my personal library, to which
outside people can have read access. But these people probably
shouldn't be able to see what I paid for each book. In the old
system, I checked if the user had jts_access >= 7 in order to
display this. In the new system, I don't want to create a role
for "jts_price-paid_viewing" or whatever; on the other hand,
merely checking the "jts_add" role isn't the actual right I'm
looking for. Does this matter?

There are various other things like that, in particular with
user-handling routines (should anyone with the user_edit role
be able to edit _any_ user, or should there be a way to ensure
that the admin user can only be edited by...well, who? Should
there be separate rights to add/edit roles themselves? etc.).

So I guess the overall question is how granular this sort of
thing needs to be, or whether I can just declare an "admin"
role for anything really high-powered and leave it at that?
That sort of thing.

Thanks for any thoughts.

Jesse Sheidlower