Role model of access rights data for a web resource
In this article I will tell you about the way of organizing access rights to a web-resource based on the role model.
I will immediately note that the application implementation of obtaining or checking rights in any of the programming languages ​​will not be given here, but will focus only on the infological database model.
I consider the proper organization of storing such information to be the most important, since the flexible model that meets the stated requirements will make it possible to expand the system easily and painlessly, as well as implement it without any difficulty in any of the web-based languages.
The method I proposed is similar to such a popular organization of access rights, which is described in phpGACL .
1) You want to be able to get user access rights for a specific system object, including for each specific user;
2) You want to organize users in such a way that each of them belongs to a subject, within which it would have a certain set of rights, and also to allow the user to be able to relate to several subjects at once;
3) It would be just wonderful that some users within the subject could manage the access rights of other users within the same subject without administrator participation, while such users themselves would not go beyond the rights of their subject;
4) You would like the organization's system to be intuitive and have a simple organization in any of the programming languages ​​designed for web-development, as well as its storage can be organized in any of the relational databases;
5) In the future, the information system will face the task of logging user actions, and you would like to have a direct connection between the access rights system and the logging system.
The goal is to organize a project management system, for example, in the following way:
System:
Project:
What we have:
1) object - access object;
2) action - the action performed on the object ;
3) permission - permission for the action of action on the object ;
4) user - user;
5) project - project (in other IS it can be “partner”, “contract”, etc.);
6) project_type - project type;
7) user_assigment - binding user user to a specific project project ;
8) role - role for the project_type project type;
9) role_permission - assignment of permission of permission of the role role ;
10) role_user_assigment - assignment of a user-project user -assignment to a specific role;
11) removed_permission_user_asgmt - remove permission for a specific user_assigment binding.
')
1) In accordance with the task, we have 2 types of project: a user project and a system, we fix them in the project_type .
2) We also have 2 roles for the type “system” and 6 roles for the type “user project”, we fix them in the role under the corresponding project_type .
3) Next, we define object objects that users will work with. (e.g. "user profile", "task", "testing", "note", etc.)
4) We define action actions performed for all objects . These are both classic CRUDs and system specific ones: “assign”, “block”, “download”, etc.
5) From certain actions and objects, we form a collection of permission permissions , for example: “Add task”, “Edit note”, etc.
6) Create permission for specific roles role permission .
7) Next, it remains only to create specific users and projects, associate the first with the second user_assigment and assign them roles within a specific project in the role_user_assigment table.
In this system, there is no such thing as a ban, so if a user has 2 roles, then his access rights will be considered the union of all permissions for these roles.
At the same time, if it is necessary that the user does not have any specific permission from his rights, it is enough to simply add it to the table removed_permission_user_asgmt (which would mean the absence of such access rights). For example, for a tester, you need to issue a permit, which only the “Project Manager” role has. In this case, it is enough for the tester to assign the role “Project Manager” and in the removed_permission_user_asgmt enter all the permissions except for the required ones.
Within this organization, there are no difficulties to give the right to any of the roles of the user project to independently assign roles to users within the project, and he will not be able to assign himself or someone else the permissions of the “system administrator” role, because to choose only those roles and permissions that are associated with his project_type will be provided.
I note that such an organization perfectly interacts with the logging system (it is not given in this article, because of its simplicity), since we can find out what action a particular user took at a certain moment.
Also, this system of rights organization is perfectly combined with notification systems and task flow systems.
The system has been used for 2 years in one of the information systems for business (implementation of an application on php, the oracle database), which fits perfectly.
I will immediately note that the application implementation of obtaining or checking rights in any of the programming languages ​​will not be given here, but will focus only on the infological database model.
I consider the proper organization of storing such information to be the most important, since the flexible model that meets the stated requirements will make it possible to expand the system easily and painlessly, as well as implement it without any difficulty in any of the web-based languages.
The method I proposed is similar to such a popular organization of access rights, which is described in phpGACL .
So, this method of implementation will suit you if :
1) You want to be able to get user access rights for a specific system object, including for each specific user;
2) You want to organize users in such a way that each of them belongs to a subject, within which it would have a certain set of rights, and also to allow the user to be able to relate to several subjects at once;
3) It would be just wonderful that some users within the subject could manage the access rights of other users within the same subject without administrator participation, while such users themselves would not go beyond the rights of their subject;
4) You would like the organization's system to be intuitive and have a simple organization in any of the programming languages ​​designed for web-development, as well as its storage can be organized in any of the relational databases;
5) In the future, the information system will face the task of logging user actions, and you would like to have a direct connection between the access rights system and the logging system.
Let us consider the practical example:
The goal is to organize a project management system, for example, in the following way:
System:
- Administrator;
- Content manager.
Project:
- Project manager;
- Project curator;
- Project customer;
- Project analyst;
- Project executor;
- Project tester.
Consider a database model that implements the storage system of rights:
What we have:
1) object - access object;
2) action - the action performed on the object ;
3) permission - permission for the action of action on the object ;
4) user - user;
5) project - project (in other IS it can be “partner”, “contract”, etc.);
6) project_type - project type;
7) user_assigment - binding user user to a specific project project ;
8) role - role for the project_type project type;
9) role_permission - assignment of permission of permission of the role role ;
10) role_user_assigment - assignment of a user-project user -assignment to a specific role;
11) removed_permission_user_asgmt - remove permission for a specific user_assigment binding.
')
Next, we consider the sequence of our actions:
1) In accordance with the task, we have 2 types of project: a user project and a system, we fix them in the project_type .
2) We also have 2 roles for the type “system” and 6 roles for the type “user project”, we fix them in the role under the corresponding project_type .
3) Next, we define object objects that users will work with. (e.g. "user profile", "task", "testing", "note", etc.)
4) We define action actions performed for all objects . These are both classic CRUDs and system specific ones: “assign”, “block”, “download”, etc.
5) From certain actions and objects, we form a collection of permission permissions , for example: “Add task”, “Edit note”, etc.
6) Create permission for specific roles role permission .
7) Next, it remains only to create specific users and projects, associate the first with the second user_assigment and assign them roles within a specific project in the role_user_assigment table.
In this system, there is no such thing as a ban, so if a user has 2 roles, then his access rights will be considered the union of all permissions for these roles.
At the same time, if it is necessary that the user does not have any specific permission from his rights, it is enough to simply add it to the table removed_permission_user_asgmt (which would mean the absence of such access rights). For example, for a tester, you need to issue a permit, which only the “Project Manager” role has. In this case, it is enough for the tester to assign the role “Project Manager” and in the removed_permission_user_asgmt enter all the permissions except for the required ones.
Within this organization, there are no difficulties to give the right to any of the roles of the user project to independently assign roles to users within the project, and he will not be able to assign himself or someone else the permissions of the “system administrator” role, because to choose only those roles and permissions that are associated with his project_type will be provided.
I note that such an organization perfectly interacts with the logging system (it is not given in this article, because of its simplicity), since we can find out what action a particular user took at a certain moment.
Also, this system of rights organization is perfectly combined with notification systems and task flow systems.
The system has been used for 2 years in one of the information systems for business (implementation of an application on php, the oracle database), which fits perfectly.
Source: https://habr.com/ru/post/217383/
All Articles