I have one MySQL DB table like the following, the resources table:

id | name | type

1 | guest | user

2 | member | user

3 | moderator | user

4 | owner | user

5 | admin | user

6 | index | controller

Onto the next table, the rules table:

id | user_id | rule | resource_id | extras

1 | 2 | 3 | 1 | null

2 | 3 | 3 | 2 | null

3 | 4 | 3 | 3 | null

4 | 5 | 3 | 4 | null

5 | 6 | 1 | 1 | index,login,register

6 | 6 | 2 | 2 | login,register

7 | 6 | 1 | 2 | logout

OK, sorry for the length, but I am trying to give a full picture of what I am trying to do. So the way it works, a role (aka user) can be granted (rule: 1) access to a controller, a role can inherit (rule: 3) access from another role or a role and be denied (rule: 2) access to a controller. (A user is a resource and a controller is a resource)

Access to actions are granted / denied using the extras column.

This all works, its not a problem with setting up the ACL within zend.

What I am now trying to do is show the relationships; to do that I need to find the lowest level a role is granted access to a controller stopping if it has explicitly been removed. I plan on listing the roles. When I click a role, I want it to show all the controllers that role has access to. Then clicking on a controller shows the actions the role is allowed to do.

So in the example above, a guest is allowed to view the index action of the index controller along with the login action. A member inherits the same access, but is then denied access to the login action and register action. A moderator inherits the rules of a member.

So if I were to select the role moderator. I want to see the controller index listed. If I click on the controller, it should show the allowed actions as being action: index. (which was originally granted to the guest, but hasn't since been dissallowed)

Is there any examples to doing this. I am obviously working with the Zend MVC (PHP) and MySQL. Even just a persudo code example would be a helpful starting point - this is one of the last parts of the jigsaw I am putting together.

P.S. Obviously I have the ACL object - is it going to be easier to interigate that or is it better to do it my self via PHP/MySQL?

The aim will be, show what a role can access which will then allow me to add or edit a role, controller and action in a GUI style (that is somewhat the easy bit) - currently I am updating the DB manually as I have been building the site.