Ok, I think I complicated matters unnecessarily by mentioning the single-row optimization. Forget about that, and let's concentrate on one thing at a time.
Requirement:
------------
- I want to grant 'admin' on all news items to user x.
Dave's Design:
--------------
Create a site-wide "News" group, etc. -- see above.
My conceptual design proposal:
------------------------------
Instead of thinking of this as granting privs on *packages* think about it as granting privs on *objects*.
What you want to do is grant 'admin' on all objects of type 'news_items'.
One possible implementations:
-----------------------------
Add a column 'object_type' to the acs_permissions table, which defaults to 'acs_object', menaning this permission is granted on all object types.
Change the permissions check procs/views to also check whether the object in question is a subtype of the value of object_type column in the acs_permissions table.
... there are other possible implementations, if you agree with me on the conceptual design.
Comments?
