Applying Linux Group Ideology to Web Applications

I have built a database driven web application that has a user and group system that works in a similiar way that Linux handles user access.

Breif explanation:

A user can access various resources, the resources are assigned to a single group and users can have many groups.

Users

id   name  
--   -------  
1    RedRanger 
2    GreenRanger
3    BlueRanger

Group Assignment

user group
---- -----
1       33
1    44
1    55
2    33
2    44
3    33
3    44
3    55
3    66

Group description

gid name  
--- ----  
33  user  
44  things  
55  stuff  
66  foo  

Resource

name group
---- -----
a    33
b    33
c  开发者_开发知识库  33
x    44  
y    55
z    66

RedRanger can access a, b, c, x and y but not z

GreenRanger can only access a, b, c and x

BlueRanger can access a, b, c, x, y and z

Lets say that RedRanger needs to be denied access to resource a

if I remove him from group 33 he can no longer access b or c which is no good.

The only alternative is to change a's group and add everyone else to the new group, this isn't so bad for 3 users, but what about 3,000?

If this situation occurs often there will soon be a mess of groups.

What is the best approach to this problem?

A resource should be able to "belong" to more than one group, rather than just one. This limitation really restricts the design.

You're part way towards a RBAC system; have a read over it and see how you could be a little bit more flexible for a better result.

It sounds like RedRanger no longer fits role (group) 33 and a new role needs to be created with access to the features (resources) that fit this new role. 3 users vs. 3,000 users is just a matter of doing the change in an admin UI vs. a sweeping database update.