What is a recommended way to manage different roles in a webapp?

My app can handle Medics and Patients. So far everyone can login and perform different tasks on the site.

We want to avoid forcing people that are Medics AND ALSO Patients to create a new User Login and password.

So a Medic which is also a Patient should keep his same login and password but we are thinking that as soon as the person with this dual privilege logs in they should PICK whi开发者_开发技巧ch role (and maybe store in a session variable) he wants to log in as.

Is this recommended or can you please provide me with an alternative?

Please help. thanks in advance

Your suggestion for roleselection after authentication IS a preferred way of working with your users. Your application can perform authorizations based on the role, rather than on the user. It is also important for the user to unmistakenly be aware of the role activated performing certain tasks.

One small suggestion I could give is to be able to switch this role dynamically, at any point in time in your application, without having to re-authenticate or get back to some kind of main page in your app. That fast role switch would really improve its usability. And always have the activated role display somewhere in the screen.

Do Medics have more privileges?

Somewhat like an "Editor" is also a "Registered User".

You wouldn't need an extra logon, you would just need to setup the hierarchy and what tasks/abilities a Medic has over a patient - if that's your scheme.

You should create another role. MedicAdmin for example.