1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2012
    Rep Power

    Handling Permissions is there a best practice? to avoid redundancies

    what is the best way to setup user permissions, in a multi tiered permissions system. The following are the general constraints I am working with in regards to the context that I ask this question:

    My particular situation, I have places that people may or may not be allowed to post to depending on if they're related to it, or if they're given specific permissions.

    Group A has access to under section A
    User XYZ happens to not be part of group A but was given special permissions to view all Sections and post.
    Group B has access to sections B and C
    Group C has access to section C only
    Group D has access to all sections and certain admin privileges.

    My question is what is the best practice to make customizable permissions that a particular owner of a site can access by. I am trying to avoid redundancy as much as possible pertaining to the privileges. There can be x number of sections and z number of groups and y number of users(basically it can be any number of any of the following) I am trying to setup a system that will allow people to be assigned view of a section regardless of their group and groups of users to have access to sections because of their group, the idea is customization. I also would like to be able to setup admin privileges on a by group and by user basis. Is there a best practice for this?

    I am working on a system in PHP, just I've hit a snag on permissions, I keep finding myself having a lot of redundancies. where I'm not seeing a good answer to handling them, given these constraints.
    If my post answered your question please give rep.
  2. #2
  3. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Rep Power
    Can you give an example of type of redundancies that you're running into?

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2012
    Rep Power
    Originally Posted by E-Oreo
    Can you give an example of type of redundancies that you're running into?
    Right now my redundancies I keep running into is permissions being duplicated. Here is the example two tables in the current designs I've tried require addUserToGroup as a column name the group_permissions table and the user_permissions table

    Example for custom user access user_ID, AddUserToGroup may be the collumns in one table, while another will have instead of user_ID will be storing group_ID instead, another table handles accessRights which is group_ID, project_ID to determine group access rights I am trying to come up with a simple easier to maintain and modify/add to later on for the system. I've never built a system that dealt with permissions that were not hard coded strictly to be all permissions for all users of the system except for a few hard coded to a user name reserved in the System as super admins. This would be the first front facing project which could have a lot of users, that I have set out to build. I have found the following issues and figured that I am fairly certain there is a better way than what I have been able to come up with and probably a best practice for handling customizable user and group based permissions to avoid redundancy of permissions such as createUser, addUserToGroup(althrough this one had to be put into a special table anyways because different groups may have different group managers and is also needed to be given to the master admin for the purpose of creating a new group, groups must have at least one manager who could add and remove users.

    Edit: Should I merely just create a table that is permissions(permission_id, permission_title)

    and have when a new section is added auto generate a new permissions when they are created, automatically? for viewing, access, and moderate? or is the approach of putting permissions as columns the better idea?

    edit:forgot to add context to how the permission was duplicated up top, added detail, context.

    Edit:would doing this be a bad idea, to remove the redundancy?
    table permissions(char user_group(type),int(11)user_id(fk_may be null),int(11) group_id(fk may be null), bool permission1, bool permission2, bool permission3)

    Or is this likely to get me into trouble later on in the sql, by making things more complicated than they should be?
    Last edited by TaronDcross; July 1st, 2012 at 01:44 PM.
    If my post answered your question please give rep.
  6. #4
  7. Mad Scientist
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Oct 2007
    North Yorkshire, UK
    Rep Power
    A common solution is access control lists, this is my implementation:

    I use access control lists (ACL) with "policy precedence"

    Every data object belongs to a resourse group
    Every user belongs to a user group
    Every user has a policy weight value (0 being the most important, going upwards the less weight they have)

    Every time a resource is created so is an entry in the ACL, with a policy (and policy weight) which dictates who (ie users/user groups) can perform what actions [ie which basic CRUD operations (plus a few extra like request CRUD or CRUD for child objects)]

    ACLs work well because they are robust, but they are also a nightmare to manage.... this automated method of creating the entries at object creation gets round this and deliberately allows conflicting policies. Having a policy precedence order then allows conflicting policies to be ordered by who is most important - and that is the policy that is applied to the request.

    Certain members have the ability to edit the ACL by locking/unlocking or otherwise restricting user/usergroup actions for resources/resource groups...but someone higher up the company can supersede it.

    Here are my notes from when I first sketched out this idea:

    policy dictates precedence order of Limit Types
    User              ACL is applied to a User
    Resourse          ACL is applied to a Resource
    User Group        ACL is applied to a User Group
    Resourse Group    ACL is applied to a Resourse Group
    Global            ACL is applied to a User and a Resourse (or everything (eg admin rights))
    Default policy = Global>Resource Group>User Group>Resource>User
    However, default limit type is user, so "global" as an ACL type may never be returned unless for admin
    Roles are shortcuts to populating a set of entries in the ACL by grouping actions:
    Role = Allowed Actions
    ACLs (Access Control Lists)
    ACL = Role + Policy + Policy Weight +  LimitType + [user | user group] + [resourse | resourse group] + resourse type
    General, Global>Resource Group>User Group>Resource>User, 9999, User ,user_group_id, resource_group_id, resource_type
    General, Global>Resource Group>User Group>Resource>User, 9999, Global ,user_group_id, resource_group_id, resource_type
    user/user group, resourse, resourse group and resourse type fields may be wildcarded:
    Admin, Global, 0, Global, *, *, *
    a requested action may have conflicting roles, this is where a policy comes in
    expected process
    user request to perform an action on a given resourse
    ACL queried for User Group,      Resourse Group               &             Resourse Type
    ACL queried for User,                    Resourse Group               &             Resourse Type
    ACL queried for User,                    Resourse             &             Resourse Type
    ACL queried for User Group,      Resourse             &             Resourse Type
    Multiple results are returned
                    Ordered by policy weight. 0 is more important than higher values
                    Policy says
                    #1 policy says
                    Resourse Group>User>User Group>Resourse
                    what does this mean?
                    It means order the ACL entries returned by
                    User Group
                    Resourse Group
                    Then loop over the the ACL entries, look in the role for the requested action
                    start with $allowed = false;
                    update $allowed to true if action found in ACL role or false if not
                    If the ACL with the most important policy weight is not found then don't worry!
    No results are returned
                    action not allowed
    I said I didn't like ORM!!! <?php $this->model->update($this->request->resources[0])->set($this->request->getData())->getData('count'); ?>

    PDO vs mysql_* functions: Find a Migration Guide Here

    [ Xeneco - T'interweb Development ] - [ Are you a Help Vampire? ] - [ Read The manual! ] - [ W3 methods - GET, POST, etc ] - [ Web Design Hell ]

IMN logo majestic logo threadwatch logo seochat tools logo