The way that i would implement permissions on a large site would be based around user groups and content categories eg. the admin department would have the permission to edit and create content within the ‘News’ category. With this approach, if the admin department needed to add products to the website for example, it would be easy to give them permission to do so.

Within the system that you describe above, unless im missing something, you would have to go through all of content and re-tag it with the correct permissions.

You say that when using these tags “instead of defining user groups that have attributes … we’re defining attributes directly”, but you’re really not. Attributes need to describe exactly what the role/tag does and what the user is allowed to do with them. General tags like “moderator” and “me” will still need a subset of attributes like “view”, “edit”, “delete”, “owner”, etc. so the application can determine which actions the user can actually execute with the tags they have. So it’s really just a ‘has many’ role-based authentication setup with a different name.

Your post came on my radar for tagging. Your idea is interesting. I devised a number of such tagging extensions, as part of a tagging concept I developed throughout 2007 called TagOver, and I am glad to see a chorus forming on the applicability of “extended tagging”.

More recently, I’ve simplified and honed in on a core idea within my “grand” tagging theory, and started working on it with a back-end developer. You can see more about it at my blog post

We are currently looking for a talented, hands-on web designer and front end developer to help out and potentially join the founding team. For now this is side voluntary work, to be turned into company ownership once we set it up. Should you know people skilled and interested in the topic, kindly send them our way.

Thanks James, and I look forward to connecting further

Authentication is “Who are you?”
Authorization is “What are you allowed to access?”

What you describe does indeed sound like a form of RBAC, or Role-Based Access Control.

Of course, to truly be useful, you need to define somewhere what each tag allows the user to do. Say both my account and an article are tagged with “me”. What does that mean? Can I see it? Can I comment on it? Can I edit it? What am I allowed to do with it? You’d really have to go into much greater breadth with the tags, like “me-view”, “me-edit”, “m-comment”, etc.

Gmail is using tags to simulate folders. I used this technique myself, and it really made my life easier.