(or go straight for the subverion trunk file drop-create-populate-kplab-db-schema.sql
Over all picture is shown below.
If (and when :) the picture is not clear enough here's a short explanation of the tables and their relations.
// TODO : should actually be role_grou_user_to_uri
The main principal is that everything is allowed unless otherwise restricted (explicit allow all to all). These rules (last two tables) should be able to be used with wildcards (*, asterix). See the following table for examples.
|A||A||normal||-||-||user A belongs to group A and has normal user right to all the resources|
|A||A||normal||*||allow||Same as above|
|B||A||admin||-||-||user B has admin rights in group A to all the resources|
|B||B||normal||-||-||user B has normal rights to group B on all resources|
|B||B||admin||doc1.txt||allow||In addition to above user B has admin rights to the resource doc1.txt|
|A||A||admin||doc1.txt||allow||User A has admin rights to the same document through group A|
|C||B||normal||-||User C has normal rights in group B|
|*||B||admin||*||allow||All users has been given admin rights to all the resources in group B|
|C||B||normal||doc2.txt||deny||User C has been restricted the access to the doc2.txt in group B (overrides the above)|