I know that this is a long article, so, I totally understand if there are no replies. This seemed like a good place to start, though, since the comments on the original article are 3 years old:
I get the general premise of this article, but it seems to set the concept of user types at a higher level than we do. So that's where I'm trying to get some clarification. For example, they separate out groups using the following examples "Web-User, Admin, HR, Finance and marketing". But I would say that while we may have those, each of those groups have in turn their own "sub-roles" for lack of a better term. So, within "Web-user" there may be 5 sub-roles, each with their own mix of SEL/INS/UPD/DEL.
Is this overall security technique saying that I would require 5 additional schemas for each of those sub-roles, or, is it saying that those 5 sub-roles would all have the same permission within the schema assigned to "Web-user", and then the application interface would control the SEL/INS/UPD/DEL, depending upon the sub-role a user is a member of?