Page 1 of 1

design issues with permissions system

Posted: Thu Jul 01, 2004 8:01 am
by kirigoe
hi,

i'm working on a network monitor application in php/mysql. i'm currently trying to figure out how to handle permissions in the application and i can't seem to think of a simple way that is still fast enough. i'll try and explain the scenario.

the objects i want to apply permissions to are set up in a hierarchy like this:

+ organisation
+--+ group
+--+--+ host
+--+--+--+ service

the objects are saved in four seperate tables with only a parent id field pointing out the relation between parent-child.

the permissions needs to be inherited, so if user A has permissions to group X then he has also access to the host Z since it's a child object of group X.

the two ways i see this can be solved is to either have a function going up in the hierarchy in real-time whenever a permission needs to be checked to see if a parent object has the correct permissions. this of course could get very slow with a lot of objects producing lots of SQL queries to the database. it would perhaps need up to 20 or more permissions checks on some pages, listing the objects in a browser.

the second way would be to have a table in the database that has expanded these permissions so that whenever permissions to organisation A is added, all child objects of this object would get its own row in the table. this table could grow quite big with a lot of objects, but more importantly, the more I think of it, the more I realize that it will be very hard to keep the list up to date. whenever an object is added or deleted somewhere in the application, the permissions has to be updated accordingly.

I sincerely hope that I've been somewhat clear in what I want help with, I've been thinking about this back and forth for weeks and all my ideas has some kind of pitfall. Any pointers or ideas will be most appreciated.

there is some info on the application on this page if needed.

thanks in advance,
Daniel Netz

Posted: Fri Jul 02, 2004 3:35 pm
by xisle
seems pretty clear to me. Assuming this is browser based and not shell scripting, I would probably use sessions and/or cookies to set the higher levels of access, so you are only querying the database once for organization and group. Check the cookies before checking the database for lower levels of the tree ie. host/service. good luck!

Posted: Fri Jul 02, 2004 7:23 pm
by kettle_drum
Or you create a tree with the groups, your group at the top, higher groups to the right, lower to the left. Then you know that you are allowed to do anything on the left of the tree. Maybe then save this tree to the users profile, and have the code update alll of these when the groups change.