I'm attempting to design a Realtime Database with Firebase that will be scalable as our company grows, and I'm not sure what will be most beneficial long term.
I'm looking to create user groups to restrict access to different nodes in the database and have some way of bypassing those rules with exceptions. The current idea is to have groups define what users can access and then have the option to apply exceptions to specific users to allow them access beyond what their group does.
Is this bad practice? Would it be better to have both roles and groups?
I'd also appreciate some feedback on the structure, I've thought of two different ways I could do this (there are probably hundreds of others, but in the interest of sanity, I limited it to two). Keep in mind, I'm trying to keep the structure flat in compliance with the Firebase docs:
STRUCTURE A
permissions:
groups:
admin:
woody: true
buzz: true
accounts:
slinky: true
jessie: true
rules:
root:
admin:
read: true
write: true
purchasing:
accounts:
read: true
write: true
exceptions:
root:
jessie:
read: true
STRUCTURE B
groups:
admin:
members:
woody: true
buzz: true
rules:
root:
read: true
write: true
accounts:
members:
slinky: true
jessie: true
rules:
purchasing:
read: true
write: true
The rationale behind the two is this: in Structure A, I can predefine a bunch of permissions that stay there always, regardless of if no groups have access to them, they are clearly defined. Structure B lacks that, but it also seems a little cleaner to me.
Hopefully that makes sense, if not, please feel free to ask clarifying questions.
Cheers!
