Many simple user roles vs. less complex user roles
I'm trying to figure out what the best way is to implement our user roles. Let's say we have 3 modules, A, B, and C. We have users which can access only one of the modules, and users which can access a combination (A/B, A/C, B/C, A/B/C) I can create 3 user roles, UserA, UserB, UserC and link these to the accounts. Users which are allowed access to multiple modules will receive multiple user roles. This is very flexible and I can create any combination I want. However, the user roles will have overlapping modules roles (all roles will have a System.User for example). And in the real scenario some users will get a lot of user roles. I’m not sure what the impact on the performance will be. The other scenario would be to create user roles with more module roles linked to them. I would end up with user roles, UserA, UserB, UserC, UserAB, UserAC, UserBC, UserABC and link 1 user role to an account. There would be only one user role applied to an account which would probably be better performance-wise, but this is of course not very flexible and with more modules the amount of user roles will grow quickly. I would love to hear some best practices and advice on this.
This is a very good question and is not easy to answer.
I can point out a flaw in your reasoning. Performance wise it is not going to make a difference if you create just 3 or 7 application roles. Performance wise, the number of module roles a user has per module is going to have an impact.
So what I would do is create 3 application roles. I would also worry that things are not as simple as they seem. Withouth knowing anything about your application I suspect it might actually be true you need more granular module roles than just 1 per module.
I think you have to ask yourself what is more important. Do I want a complex but very accurate model or a simpel but more global model. I you want it very secure I would opt for the first and if security is not that big of an issue I would opt for the last.
So there is no easy answer to your question and you have to do decide for yourself what is most important in defining the roles and configure them accordingly.