Database Design for Role-Based Access System

(1) What is so "bad" about checking Roles for access control? What benefits are gained by checking for permissions instead?

At the moment of checking, the calling code only needs to know "does user X have permission to perform action Y?".
The calling code does not care about and should not be aware of relationships between roles and permissions.

The authorization layer will then check if the user has this permission, typically by checking if the user's role has this permission. This allows you to change authorization logic without updating the calling code.

If you directly check for role at the call site, you are implicitly forming role ⇄ permission relationships and injecting authorization logic into the calling code, violating separation of concerns.

Should you later decide that role foo should not have permission baz, you would have to change every code which checks if the user is a foo.

(2) In this scenario what useful value do Roles even provide? Couldn't we just assign 1+ Permissions to Users directly? What concrete value of abstraction do Roles offer (can someone give specific examples)?

Roles conceptually represent a named collection of permissions.

Let's say you are adding a new feature which allows a user to edit certain settings. This feature should be available to administrators only.

If you are storing permissions per user, you would have to find all users in your database which you somehow know are administrators (If you're not storing role information for users, how would you even know which users are administrators?), and append this permission to their list of permissions.

If you use roles, you only have to append the permission to the Administrator role, which is both easier to perform, more space efficient, and is less prone to mistakes.

You can think of security from 2 perspectives: Functional security and Data Security.

Functional Security: This will provide access control over various functionalities of your web-site. Simplest form of this will be as you mentioned, privileges which are mapped to single functionality such as user management or product management etc, aggregated to create application roles such as Product Manager, or HR Manager.

Data Security:

This will control what data(basically logical rows) should be available for each functional grants. For example, if you want to restrict Manage User functionality per department, then you may setup a per-dept-data-security role. This role, together with manage-user role provide the user with access to Manage user functionality within his department.

If you want to directly grant the privileges to users, it will definitely be messy, and kills the aggregation possibilities. But you can implement this, as roles will always be converted to privileges at run time. It will just create another layer unnecessarily, and also from usability perspective, more confusing to manage.