How to create users that can create other users with certain restrictions?

Question

I apologize that I can not load a picture to explain the relationships but I need more street cred to do so.

I am using Rails 4 and Devise 3. I would like to create a family relationship for my users with certain restrictions based on family role.

A user (we will call MainUser) can create a family and add family members to the family. However, I want each of these family members to be new users (we will call ChildUser). The idea is that I do not want ChildUser to have any permissions to sign in/access the website in any way at first. They only exist because MainUser. Their information will be in complete control of MainUser. As they grow older, the MainUser may want to allow certain privileges to the ChildUser such as signing in to their account. Eventually, ChildUser will want to have full access to their account and no longer be under the MainUser's restrictions. They will still want to be part of the MainUser's family (of which MainUser controls) but they would also like to create their own family (of which ChildUser can control). Now the cycle can repeat and ChildUser can create GrandChildUsers for their family.

I have not used CanCan but have read about its use cases and I feel like it could be useful for me however I would like some conceptual and technical guidance on this.

Has anyone created a similar User relationship?

Answer 1

You probably want to look into role-based access control and access control lists, also called RBAC and ACL respectively.

You might also find this provocative talk interesting if you're unfamiliar with the topic:

http://vimeo.com/2723800

See also, on SO:

• Database schema for ACL

• Implementing permissions based on reputation

• what is a better way than arrays overlap? (postgresql)

• Best Role-Based Access Control (RBAC) database model