The party model, permissions, customers and staff

We are using a party model for a booking application, so that customers and staff effectively share the same table in the database.

Previously customers could only 'book' an appointment if they paid and if a slot was available. Now, we want to create a premium_customer type rol开发者_运维知识库e so that customers can make bookings without paying and even if there is no availability.

Does it make sense to add customers to a single security model, such as in an ACL or RBAC?

• If so, do we introduce roles called normal_customer and premium_customer alongside our reception and duty_manager and other staff roles?
• If not, should there be a separate security model for website users?

As I don't know all your requirements, i can't give you a definitive solution, but your Approach to create a role could be correct i many cases. However, you could also create a "Subscription", wich could have start- and end date.

yes it is fair to create another role to record premium customer