IT:AD:Design:Investigations:Security:Authorisation:PBAC

An example of a Permission/Operation Based Authentication Control system is IT:AD:NETSqlAzMan

An alternate solution is to use the to do as Rockford Lhotka suggested, and even if its called IsInRole, use it to check Permissions.

See:

• http://www.lhotka.net/weblog/PermissionbasedAuthorizationVsRolebasedAuthorization.aspx
• http://stackoverflow.com/a/7258719/1052767

See why it's better than than Role Based:

• http://lostechies.com/derickbailey/2011/05/24/dont-do-role-based-authorization-checks-do-activity-based-checks/

One checks against Operation, not Role.

Eg: 
User is In Role Accountant
Accountants can do x,y,z
But User has z removed.
Therefore to the question "Can UserA do x", the answer is ...

Pros:

• The result is fine grain control.

Cons:

• Although it model's better real-life scenarios, the UI to implement these values is much more complex.

  • But do remember that the complexity is not a logic issue, its a UX issue.