When to use a single-group or multi-group permission system?

As far as I'm aware there are two main styles of permissions systems out there. I would like to know if the multi-group option is really worth the extra trouble or system load (more queries). It seems that with proper application design there is no need for users to have more than one class - though my applications have never made it big enough for me to know.

• Simple user system (group/role with users)

Sam is a member - he cannot access admin content. Joe is an admin - he can change author posts. One开发者_如何学Go user is in one group, and groups cascade permissions. Think wordpress.

• Multi-group user system (users with groups/roles)

Sam is a member and moderator - but he still cannot access admin content. Each user can have many groups which all combine to show what he can/cannot do.

Why not just have Sam as a moderator and all moderators inherit member privileges? Also, which one works better with ACLs?

It's possible that two groups might inherit permission from one lower group, but those two groups cannot share permissions.

Say, for example, you have users that can post to the forums.

Then, you have people in charge of moderating users. Those people can reset passwords, ban users, promote users, etc. Plus, they can post to the forums.

You have another group in charge of moderating content. They can modify/delete posts, rearrange the posts, etc, but they cannot do anything with user accounts. Plus, they can post to the forums.

Then you have the administrators who can do it all.

In this case, the user moderators and the content moderators both inherit from general users, but do not share permissions. There are certainly cases where multiple-group systems are useful, but they definitely aren't necessary in every system.

One application I worked on recently involved several "work areas", each of which a user can be provisioned to access. These work areas, e.g., A, B, and C, are not hierarchically related, so a user could have access to A and C, but not B, or any other combination. In a case like this, inheritance doesn't help and a user needs to be assignable to multiple roles.