I'm creating a Symfony2 website that has users and each user can have multiple permissions like this:
User1: manage users , manage sales , manage repository
User2: manage repository
user3: manage sales , manage repository
...
for such a system what is the correct permission system to use?
Roles or ACLs or voters or something else?
Thanks
Roles are OK if you want to grant "general" permissions.
For example, if you need user to be able to manage all or users, then you can create a role for it, for example ROLE_USER_MANAGER. Or if you want to grant him rights to manage sales, you can grant him ROLE_SALES_MANAGER role.
So basically, use Roles when you have limited number of permissions to some entities generally.
You can use them for other stuff by granting roles that contain entity names and ids for example, ROLE_MANAGER_REPOSITORY_23 and then using custom voters you can know that users with that role can manage repository with id 23. Even though this approach can work, I personally don't like it.
If you have a lot of dynamic permission granting, especially towards individual models, then ACL is the way to go. It is usually a bit less performant, as it needs to fetch more data from the data store, but is a lot more suitable for this purpose.
With Symfony2 ACL, it's incredibly easy to grant and check permissions, and even to allow individual users to grant permissions to each other.
Furthermore, introduction part of Symfony ACL docs shows you both of these approaches and also point out some ups/downs for each.