Security permission Architeture

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
silenceghost
Forum Newbie
Posts: 22
Joined: Sun Oct 19, 2008 3:25 am

Security permission Architeture

Post by silenceghost »

I'm thinking of most basic which windows have used their security in their os on my application
creating permission,entity table
mapping each permission with user table to take out the permission
all the values stored in the table converted to binary and those number decides the permission

Code: Select all

 
User 1  
          Value      Permission
Entity        Read  Write Delete 
Report  4      1     0      0
Search  7      1     1      1
Upload  2      0     1      0
 
 
User 2  
          Value      Permission
Entity              Read  Write Delete 
Report   5            1     0      1
Search   6            1     1      0
Upload   3            0     1      1
 
i know we can also create the group and instead map group with permission instead of user
and last put the user inside the group
Are there any other concept regarding the kind of security for web application
User avatar
Darhazer
DevNet Resident
Posts: 1011
Joined: Thu May 14, 2009 3:00 pm
Location: HellCity, Bulgaria

Re: Security permission Architeture

Post by Darhazer »

You may be interested in the Zend Framework's ACL (access control list) - it's exactly Windows-style permission system, with both users and groups, with permissions inheritance, etc.

Usually we (in our company) use another approach, since there can be unlimited types of actions, and for each section there can be different type of actions... So we just make constants for the different actions, and put them in UserXPermissions table:

Code: Select all

UserID PermissionID
1        SECTION_REPORT_SEARCH
1        SECTION_REPORT_UPLOAD
2        SECTION_REPORT_SEARCH
This means that user 1 can both perform search and upload, and user 2 can only do search
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Security permission Architeture

Post by kaisellgren »

What I do with my application is that I have three "states": GRANT, DENY & REVOKE. Each user has one of these for each action. The same applies to groups that users are in. For example:

Code: Select all

User ID | Action | Permission
1      Submit Article GRANT
1     Modify Article GRANT
1     Remove Article DENY
1     Publish Article   REVOKE
If the state is REVOKE, then it is not "set", and will be taken from the user group. If the user group does not have it, then it defaults to DENY. All user level permissions override group level permissions. This allows the use of infinite level user groups, customized user level permissions and the permissions can be applied to any tiny details such as Modify Article Date - DENY, but still access everything else.
silenceghost
Forum Newbie
Posts: 22
Joined: Sun Oct 19, 2008 3:25 am

Re: Security permission Architeture

Post by silenceghost »

Thank you for sharing your ideas
Post Reply