Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>I've been having the same problem in .Net whilst implementing a content management system / document management system model.</p> <p>I found that in it's simplest form there are effectively 2 trees and that to do on the fly "effective permissions" calculations based on inherited permissions is unhealthy for your app in terms of scalability however that doesn't mean it's impossible. </p> <p>This means that you can basically calculate effective permissions based on current nodes only to simplify the model. </p> <p>For example: (lets use "Pages" as nodes)</p> <p>In the complex model to figure out the permissions a user has on Page 4 you would effectively take all the permissions assigned to Pages 1, 3 and 4 then do an "additive merge". </p> <p>In the simplified model we would only consider permissions added for the user for Page 4</p> <pre><code> Page 1 Page 2 Page 3 Page 4 </code></pre> <p>To keep my problem as simple as possible and thus as bug free as possible I decided to go for a model where only a role / group can be added with a relevant acl entry to a tree node.</p> <p>This meant to figure out what I wanted in terms of permissions I would effectively run a query like (seudo code only your implementation may vary):</p> <pre><code>var allAcls = "Select all ACL where PageId in (pagesToThisPoint) and Role in (userRoles)" var resultAcl = new aclEntry(); allAcls.Each(acl =&gt; { resultAcl.Delete = (acl.Delete &gt; resultAcl.Delete ? acl.Delete : resultAcl.Delete); resultAcl.Update = (acl.Update &gt; resultAcl.Update ? acl.Update : resultAcl.Update); resultAcl.Read = (acl.Read &gt; resultAcl.Read ? acl.Read : resultAcl.Read); .... }); </code></pre> <p>That leaves 1 other consideration, deny rules, where the rule is a deny rule the typical convention is that it overrides an allow rule.</p> <p>So go back round the loop again and evaluate for denies:</p> <pre><code>allAcls.Each(acl =&gt; { resultAcl.Delete = (acl.Delete == deny ? resultAcl.Delete == deny); resultAcl.Update = (acl.Update == deny ? resultAcl.Update == deny); resultAcl.Read = (acl.Read == deny ? resultAcl.Read == deny); .... }); </code></pre> <p>So you're basically saying get all roles for both user and page, where the page has an acl entry for any of those roles add it to the resulting permissions then remove any permissions where an explicit deny is defined. </p> <p>I'm sure that can be extended further if you then wanted to rerun the process for user specific permissions match all permissions that apply to the current user for the current page and overwrite the role based set. </p> <p>As a general rule of thumb I tend to go by the logic that the the more specific the rule the more relevant it is. </p> <p>So you might say something like ... All managers can access the whole site Managers are denied any rights to the Admin Section of the website All Sales can access the sales section All marketing can access marketing Marketing user "Bob" can access sales</p> <p>the logic above would cover all of this and effectively apply access as follows: Users get rights tot he section for their department (sales users = sales ect) Managers get additional rights and access to all areas accept admin (IT only maybe?) Bob is our exception and although he is in marketing we grant him rights to sales.</p> <p>What this means: 1. Users can be added to roles 2. Pages can be added to roles and the role in question is then given "acl" rights This means I can say something like: If the user is in the sales role grant them "read, update" 3. By definition Page as such is not "in a role" but merely knows how much access to grant a role 4. Extending this model means you can specify acl entries for a specific user 5. A user acl entry overrides a role acl entry 6. Acl entries considered are for the entire tree up to this point 7. A deny rule overrides an allow rule</p> <p>So what happens if say the parent page says "Sales users are denied access completely" and then the page we are on says "Current User bob has full access"?</p> <p>This is based on a choice either the developer / the business makes on how to treat such a scenario ... </p> <p>My thought would be: The user is more local in scope than the role The deny rule applies to the parent whereas the allow rule applies to the page I would take the allow rule.</p> <p>If however the Parent rule was for the user and the Page rule for the role was for the current page I would take the rule for the role using the same logic.</p> <p>Much of this ACL stuff is subjective, I tend to lean on what people are used to, for example: file system permissions in windows, that way the app appears to act in the way the user considers "the norm", that will keep you from getting 20 questions in the future.</p> <p>Mostly anyway.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload