Users, Roles and Rights/Privleges model..

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Users, Roles and Rights/Privleges model..

Post by Jenk »

(Brief intro: a right/privilege in this context is something like "can CRUD other users" or "can CRUD news articles" where as a role example is "User", "Admin" etc.)

Myself and my colleagues are drafting up a model of the user privileges system we wish to use for a new project.

However, we have met some conflicts - namely I want to use "roles" for nothing more than a convenience feature for pre-determined roles that users can slot into when created, but maintain that the relationship is directly from users to rights.

Others want to use roles as the mainstay of the whole privilege system, i.e. users have roles, roles have rights, but the user object doesn't know that rights even exist. I have seen this on several occasions become not only chaotic in terms of the number of roles created, but also the role relation ship becomes superfluous as more and more roles pop-up with only one right/privilege.

What I'm trying to do is present the idea that having a many-to-many relationship between individual rights to users is more flexible and less chaotic than creating a user role, which can have many rights, and then maintain a many-to-many user role relationship. We will still use roles, but they will only be as preset templates, not as the concrete role the user will maintain (the admin will be able to update the privileges individually as well as pick roles at CRU(D) time.) There is one small impediment with this model, and that is searching for users with a particular role, but I explained this was just a case of searching for users that have matching privileges as those of the role(s) in question.

Now, I suck at presenting my ideas, always have. So I've been looking for any existing presentations or discussions or blogs or etc.. but unfortunately my google-fu is not good enough to get passed the 1,000's of results I am getting for "role model" when I search for "user role model" and was wondering if anyone knows of a nice blog or such that has a good discussion? Perhaps we can start one here? :)
scriptah
Forum Commoner
Posts: 27
Joined: Sat Mar 15, 2008 8:58 pm
Location: Long Island, NY

Re: Users, Roles and Rights/Privleges model..

Post by scriptah »

I would stick to your way, as I also think that a user class that doesn't know which rights it has or even that rights do exist, will cause down on the road problems.

I always like to take real world examples and use them in my design.
As long as my design is rational and follows the logic of the real world, I know I can't be that wrong.

You should try to show them how your design fits real world situations, not only how it would benefit the coding itself.
"Users" in the "real world" do know boundaries. They know they have rights to do some stuff while being forbidden to do others. The chaos you saw when you don't follow this simple rule also exists on the real world.

Instead of preventing the user to take an action on the action itself (AFTER he already tried to perform such action), you could simply prevent him before he tried even to take the action.

Lets take another example, besides me being an "Administrator" of the system, I'm a regular "User" also.
Using their system my permissions would be defined strictly by my role. But I do fulfill two different roles at the same time.
There is one small impediment with this model, and that is searching for users with a particular role, but I explained this was just a case of searching for users that have matching privileges as those of the role(s) in question.
I don't see it as an impediment.
The roles are just a mere title or description we stick to a group of privileges in order to categorize them.
If the privileges of a user do matches the privileges requirements of a certain role, the user in a way or another DO fulfill the role EVEN though on the system it doesn't say so.

I suck at presenting ideas also ... :banghead:
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Re: Users, Roles and Rights/Privleges model..

Post by Jenk »

That's what I went for in the end, however I was also thrown a bone by the User - after I pointed out we haven't strictly speaking actually explained the possibilities to the client to ask what they want, and fortunately they have asked for as much flexibility as possible, and even specified they would rather select individual privileges for each user.

So we are dropping "roles" all together :)

However, I think this type of discussion would still be of great benefit to the community - a discussion on how to present Ideas, as development is not just about typing code. :)
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Users, Roles and Rights/Privleges model..

Post by Christopher »

I think it depends on the system. The whole point of Roles in to provide an intermediate "table" to hold relations. Just like in any database problem with many to many relationships. If the problem is simple enough you can eliminate that relation and just hold the set of relations in a field. But as complexity increases, so do the benefits on the intermediate relation. With a Roles system you only need to update the much smaller intermediate data when you add, remove or change rights. Otherwise you must update every use record for each change. If you have a single, centralized user table then it is no problem. Distribute users and a Roles system starts to make a lot more sense.
(#10850)
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Re: Users, Roles and Rights/Privleges model..

Post by Jenk »

Quite. This system isn't quite on the scale of say a corporate Active Directory tree, but it will be "large" however for now we have decided to go simple and wait for the customer to actually ask for it before we get too fancy. (Which was also one of my points - Agile/Scrum encourages minimal work until it is actually needed.)
Post Reply