Page 1 of 1

Security permission Architeture

Posted: Sun Jun 28, 2009 6:56 am
by silenceghost
I'm thinking of most basic which windows have used their security in their os on my application
creating permission,entity table
mapping each permission with user table to take out the permission
all the values stored in the table converted to binary and those number decides the permission

Code: Select all

 
User 1  
          Value      Permission
Entity        Read  Write Delete 
Report  4      1     0      0
Search  7      1     1      1
Upload  2      0     1      0
 
 
User 2  
          Value      Permission
Entity              Read  Write Delete 
Report   5            1     0      1
Search   6            1     1      0
Upload   3            0     1      1
 
i know we can also create the group and instead map group with permission instead of user
and last put the user inside the group
Are there any other concept regarding the kind of security for web application

Re: Security permission Architeture

Posted: Sun Jun 28, 2009 7:21 am
by Darhazer
You may be interested in the Zend Framework's ACL (access control list) - it's exactly Windows-style permission system, with both users and groups, with permissions inheritance, etc.

Usually we (in our company) use another approach, since there can be unlimited types of actions, and for each section there can be different type of actions... So we just make constants for the different actions, and put them in UserXPermissions table:

Code: Select all

UserID PermissionID
1        SECTION_REPORT_SEARCH
1        SECTION_REPORT_UPLOAD
2        SECTION_REPORT_SEARCH
This means that user 1 can both perform search and upload, and user 2 can only do search

Re: Security permission Architeture

Posted: Sun Jun 28, 2009 9:24 am
by kaisellgren
What I do with my application is that I have three "states": GRANT, DENY & REVOKE. Each user has one of these for each action. The same applies to groups that users are in. For example:

Code: Select all

User ID | Action | Permission
1      Submit Article GRANT
1     Modify Article GRANT
1     Remove Article DENY
1     Publish Article   REVOKE
If the state is REVOKE, then it is not "set", and will be taken from the user group. If the user group does not have it, then it defaults to DENY. All user level permissions override group level permissions. This allows the use of infinite level user groups, customized user level permissions and the permissions can be applied to any tiny details such as Modify Article Date - DENY, but still access everything else.

Re: Security permission Architeture

Posted: Mon Jun 29, 2009 12:53 am
by silenceghost
Thank you for sharing your ideas