I am building an application that has 3 tiers in the ACL tree. Admin, super, and user. All 3 have cascading privileges to site features. My conundrum at the moment is trying to figure out the best approach to allow user specific privileges.
For example. The site has 5 extensions which are available for purchase. If they don't purchase any extensions they have basic privileges. However for each extension purchase, site features become available.
At any time, the user could purchase or disable an extension. Adding or subtracting from their privileges.
Is it good practice to just create new Boolean columns in the user table for each function, enabling or disabling them. And then just checking if access is granted? Is this ok for scalability, if extensions grew to 50?
Another thought I had was to create a key value table that assigned a user one privilege. A new row for every allowed privilege. However I thought this might be over bearing searching through the table if there were many users with many privileges.
It's my first time using ACL - AROs and ACOs.
Any advice will be appreciated.
