What is the best way to implement authentication with groups

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
jgarifuna
Forum Newbie
Posts: 3
Joined: Tue Nov 15, 2005 7:02 pm

What is the best way to implement authentication with groups

Post by jgarifuna »

Please forgive me if this is not the right place for this question.

I would like to create a security model where all intended users will have access to the system from a single point of entry. The intended users are:

- company employees (including regular emplyees by department and administrator users)
- customers
- vendors
- suppliers

Each group of users will only be given access to certain sections and each user within the group have access to their personal items as well as some predefined group accessible items.

I was thinking about creating a single table with the usernames/passwords and then a separate table for each group (eg. one for customers, one for vendors, one for suppliers, one for employees, etc)

The customer records are in the thousands and employees may be delegated certain tasks so I thought that if I separated the employees from the customers, it would narrow down the list when selecting employees for delegation.

Any input on how to best do this would be greatly appreciated.

Kind regards,
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

To me it appears you have three 'entities' being: users, roles and permissions.

Usually each user belongs to exactly one group, each group can have many users ( 1 - n)
Each group can have many permissions, a given permission can given to many groups (n - m)

This would lead you to a table setup like this:

[user] 1 - n [group] 1 - n [grouppermissions] n - 1 [permissions].

In the situation where a user can belong to more groups (notice that you will have to define the rules for situations where the first group of a user has a permission, and a second group of that user doesn't have that permission...) it will look like:

[user] 1 - n [usergroups] n - 1 [groups] 1 - n [grouppermissions] n - 1 [permissions]

You could think now like: So, for the pages where only my specific user has access too, i'll create a group (with only that user) and then grant the group access to those pages... In my experience, all users of a group have access to their profile page (so they get the same permissions)... But they get different 'initalization' parameters for the given page... Eg: all users in the 'employee' group have a 'personal profile' page, but for each user, the page gets a different 'user_id' that will be used for fetching the specific data...
jgarifuna
Forum Newbie
Posts: 3
Joined: Tue Nov 15, 2005 7:02 pm

Post by jgarifuna »

thanks a million!

Your explanation is clear cut. I'll try it.

I'm currently working on a code generator and I would like to implement some of these features.

When you get a chance feel free to read my release notes and test the code generator at the following link:

http://www.jgari.com/?q=node/34
Post Reply