Page 1 of 1

Access rights with groups

Posted: Wed Oct 19, 2005 9:19 am
by vd
Hello,

I'm currently working on an idea to handle access rights. At the moment I have created a system which gives you the possibility to create users and groups. A user can be a member of unlimited groups. I would like to add access rights to the groups only.

My problem is:

You link a user to a group and give the group special rights. After this you would like to create a new user with "superuser" rights and link him to the same group as well as to other groups, because he should have access to all groups. The normal user has the right to access all the pages which were created by people within his group. But in this case he has also the right to access the pages from the superuser, because he is a member of you group, too. Is there a possiblity to avoid this?

Has anybody an idea?

Thank you very much.

vd

Posted: Wed Oct 19, 2005 4:45 pm
by deltawing
As well as linking a page to a user, link it to a group too. That way, you can make it so that a user can only access pages created in his/her group.

Oh, sorry, I just realised I'm missing the point. I'm sure you can make an exception in your code for the superuser. Maybe make it so that, even though a superuser isn't listed as a member in the group, he/she can create a page which can be read by any groups he/she chooses. This would add complexity to your table structure, and may involve having to add an extra table, but its the only obvious way around it that I can see. Without knowing your actual table structure, I can't suggest a more detailed solution.

Posted: Wed Oct 19, 2005 5:00 pm
by timvw
I don't see the problem.

- If you add a user to the superuser group, he should get all the rights.. If you don't want him to have all the rights, don't add him to the superuser group.

- When the user logs in, ask him also as which group he wants to log in... He only gets the rights of that group...


I usually prefer a [user] 1 - 1 [user_group] 1 - n [script] setup.

Yes, this has the disadvantage that i need two accounts, one for maintainance and one for regular use..
(Or the advantage that i can't break stuff when i'm drunk and performing regular (ab)use.)

Posted: Wed Oct 19, 2005 5:24 pm
by pickle
I'd suggest making an exception for the superuser group. Give anyone in that superuser group the ability to make pages for any group, without other users being to edit superuser pages.

Posted: Wed Oct 19, 2005 5:30 pm
by deltawing
timvw wrote:I don't see the problem.
No, there is a problem. "The normal user has the right to access all the pages which were created by people within his group. But in this case he has also the right to access the pages from the superuser, because he is a member of you group, too".

So, if TheBigBoss, who is a member of all groups because he is a superuser, writes a new page, TheRegularUser, who is a member of Group45 can read that page, because TheBigBoss is am member of Group45 too. So anything written by a member of Group45 (including a superuser) can be read by TheRegularUser.

I think that however you do this, if you want [user] 1-M [usergroup], then your going to have to have an exception in your code for superusers, or for pages created by superusers. You can't have them following the same rules as everyone else.

Posted: Wed Oct 19, 2005 6:11 pm
by Ambush Commander
Here's my suggestion.

Ordinary User - view all pages that are not restricted and created by members of his group
Superuser - view all pages, no constraint. Has ability to restrict pages he creates.

Posted: Thu Oct 20, 2005 3:07 am
by vd
thank you very much for your suggestions!

deltawing you got it. As I understood you right there is no other solution than writing restrictions for ordinary users.

In my case, all the groups have the same access rights. I think, I have to write a logic which detects if a user is part of only one group (ordinary user) or member of different groups (superuser). The users will be organised in a multilevel structure without giving direct access rights to a user (it should be dynamic somehow):

Image

The system should detect if a user is located on the same level as the user of the pages he want to see (allowed, if he is in the same group), or if it is a level under (allowed, if he is in the same group) or upper (not allowed).

Posted: Thu Oct 20, 2005 10:34 am
by alvinphp
This is how my security works (basic Actor/Role/Rights structure)

You have your list of actors (users)
- list of users

You have your roles (groups) that an actor can have
- Power User
- Application User
- Reports User

Then you have rights that a role can have
1 - Read All Records
2 - Read Records Created by User
3 - Add/Edit Records
4 - Delete Record

So an Application User would have rights of 2,3,4 while the Reports user would only have 1. If a user needed a set of rights where a role did not exist for it I would create a new role and add the needed rights. Another possiblity is allowing a user to have mutliple roles where two roles would give the user the rights they needed.

Also, in the application, all access rights (entitlements) would be based off of rights and never on the group or the user. This makes it much easier later on if you add a new right as all you need to do is at the right to the appropriate role and everyone in that role now gets the rights.

Posted: Fri Oct 21, 2005 10:09 am
by vd
I would like to create a very flexible permission system. The grant of permissions should work as dynamic as possible. So it should be enough if I grant permissions only to the group and everybody who is a member of this group will inherit her permissions. If a specific person should have more rights I need to put him also to another group which has these rights. To be sure that there is no suspension of rights I will create only permissions and no restrictions. I'm not sure, but I think it is a good idea.

Maybe someone of you already build a system like this and can give me a hint.

Have a nice weekend and many thanks for your ideas.