Databases
StackOverflow2013
Postsdbo
POMultiple levels of authorization, not only role-based
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POMultiple levels of authorization, not only role-based
    text
    copied!<p>Our application uses multiple ways for authorizing access to a given resource. Although it's working, it's messy and... well, it doesn't seem right.</p> <h3>1) Role-based authorization</h3> <p>We have well defined roles where each role has access to a set of the resources and different roles can access the same resources.</p> <p>Resources, as of now, are simply MVC actions mapped in a database table as <code>module</code>, <code>controller</code> and <code>action</code>.</p> <p>This seems to be OK, but every time I need to add a new controller/action I have to map this resource to the database table.</p> <h3>2) User-based authorization</h3> <p>Besides role-based authorization, users can have more or less access to a subset of resources of another role. <strong>Eg.:</strong></p> <p><strong>RoleA</strong>: resources <em>a</em>, <em>b</em>, <em>c</em>, <em>d</em><br> <strong>RoleB</strong>: resources <em>x</em>, <em>y</em>, <em>z</em><br> <strong>RoleC</strong>: resources <em>1</em>, <em>2</em>, <em>3</em><br> <strong>User1</strong>: has <strong>RoleA</strong> but needs to access resource <em>y</em><br> <strong>User2</strong>: has <strong>RoleB</strong> and <strong>RoleC</strong> but does not have access to resource <em>z</em></p> <p>This is implemented as an <code>user_resources</code> table with entries for additional resources that the user has access or is denied (indicated by a flag).</p> <p>I could create different roles with tailored access, treating roles as group of permissions, but that would lead to a roles explosion.</p> <h3>3) Model state authorization</h3> <p>If that's not enough, some actions can only be performed when the model is in a certain state (each model knows when something can be done). <strong>Eg.:</strong> an order can only be edited if the user has access to the <em>edit</em> resource (through steps #1 or #2) and the object <code>Order</code> can be edited.</p> <p><strong>Anoter example:</strong> an user can access a <code>Customer</code> if he has access to <code>/customer/view</code> resource and he <em>owns</em> that Customer (he is the contact info for that customer).</p> <h3>4) Display information in UI</h3> <p>A role, group of roles or individual users can see more or less information about a model, depending on it's state.</p> <p>How can I simplify this authorization process without loosing flexibility in giving or restraining access to resources?</p> <p>There is any pattern I'm missing here to unify all this authorization in a single place?</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload