Fuzzy user management in web applications

Question

I'm a bit confused about role management in web applications.
Assumption: user belongs to a role, one role has one or more permissions, and permission could be: view page options.html.

If role consists of permissions (view this page, view that page, etc..), how should we check which page is user allowed to see in our code?

Two options have crossed my mind:
a)Role level: If user is member of thatRole then show page ...
b)Permission level: if user has permissionToViewThatPage then show page...

If a) is the way to go, then why do we need permissions?
Admin role has the permission to view that page, and later on someone comes and changes permission.
In our code we ask if user is member of the admin role, but we don't check the permission.

Question:
How do you manage user roles/permissions in your source code (JSP/JSF, ASP.NET)?

Answer 1

If you don't use roles, then maintaining users becomes cumbersome because you have to change each individual when requirements change. If you don't use page or feature level permissions, then maintaining code becomes cumbersome because you have to change the code when requirements change.

The best option is to have the features on your page require permissions where needed, have the users belong to one or more roles, then have a way to match the roles with the permissions.

Answer 2

b). You are right if you are not going to use the permissions you have defined then you don't need them. But given your current setup you should just permissions. The best way to handle your admin issue is to grant the Admin role all permissions rather than adding a separate role check for the user.

Answer 3

The basic distinction is that permissions are assigned to roles, and roles are assigned to specific users. The basic idea behind this concept is to make access management as dynamic as possible without knowing the actual code.