Les, Peter, thanks for the details.
>> Instance-level permissions are very powerful indeed, however, you don't >> want to create hundreds or thousands of them. Typically my applications use >> a mix of logic that requires knowledge of how the application works as well >> as permission checks: So reducing the count of entries in the DB will speed things up? ;-) >> Based on your example, I would only check if someone is allowed to review >> an entry if they are NOT the reviewer already assigned to the entry. Well, actually, nobody but the assigned reviewer is allowed. As I will have the field around for DB queries anyway, I guess that permissions don't add value from the app logic point of view. Nevertheless they add value from the point of view that permissions go along with functionality as opposed to roles. Please correct me, if I'm wrong. Cheers, DJ
