Access Control List

Permission
There are three type of permission. Namely, modify, delete and view.

modify.permission : Create,Update
view.permission : View
delete.permission : Delete

Role
Roles are tied to permission. Each application has three different roles, admin, moderator, user and each of them has their own permission.

role: admin.role
permission: modify.permission, view.permission, delete.permission

role: moderator.role
permission: modify.permission, view.permission

role: user.role
permission: view.permission, modify.permission

Admin has permission to view, modify and delete a record. Moderator has permission to view and modify a record. User has permission to view and modify a record (some restriction applies by application logic)

Example: Forum Application
admin, moderator, user can MODIFY Forum (start a forum)
admin, moderator, user can MODIFY Entry (post)
admin, moderator, user can VIEW Forum (browse entries)
admin can DELETE Forum (end a forum)
admin can DELETE Entry (only if forum is moderated)
admin, moderator can MODIFY membership
admin can DELETE membership

Group
Application user are bundled in a group. A user with membership to the group is granted role(s). This is a fine-grained level authorization scheme.

Example: Forum Application
user:msbob
group: forumapp.user.group
role: admin.role, moderator.role

Description: msbob is a user of Forum Application. He has an admin and a moderator role to this application.

user: johndoe
group: forumapp.user.group
role: user.role

Description: johndoe is a user of Forum Application. He is a plain user of this application.

For coarse level authorization scheme, a user with no membership to forumapp.user.group can't use Forum Application at all.