StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POComplex Righty System: ACL, RBAC and more what?
primarykey
Id
13580702
data
AcceptedAnswerId
0
AnswerCount
2
ClosedDate
CommentCount
0
CommunityOwnedDate
CreationDate
2012-11-27T09:10:17.587
FavoriteCount
4
LastActivityDate
2013-09-30T16:44:35.633
LastEditDate
2013-03-20T04:25:16.567
LastEditorUserId
37706
OwnerUserId
1855854
ParentId
0
PostTypeId
1
Score
5
ViewCount
2513
LastEditorDisplayName
text
Body
We are currently developing a project management software. And we are having trouble deciding on the correct approach to implement security. We have looked at both ACL and RBAC and are already pretty certain that we need at least a combination of both for specific reasons. But there are a couple of problems that do not have a nice solution in either world. Let me explain: Let's say you have the following entities: <ol> <li>Users, with different roles, i.e. <ul> <li>Project Lead</li> <li>Worker</li> <li>Admin</li> </ul></li> <li>Projects</li> <li>Assigned Users</li> <li>Tasks in Project</li> </ol> Now the following rule should be expressed: A User with the Role Worker is only allowed to view Tasks, which are related to a project he is assigned to. This results in that a User is only allowed to view some Tasks in the whole list. We would use RBAC to give Roles the permission to actually read Tasks. But the condition is not applied as there are specific entities involved. ACL could be used, but we fear the nightmare of keeping the ACL entries consitent with the requirements (Users can change, Roles can change, new Tasks can be introduced an would have to get the correct entries, which is just as complex). Of course there could be specific queries when viewing a specific project (<code>WHERE project_id = 123</code>), but this does not help for a "View of all my current Tasks", where basically every task can be considered for display, but the ACL would have to be checked for every single entriy. And how do I ensure things like "Get the first 25 Tasks the current User is allowed to see" without loading all the tasks from the DB and then filtering based on the ACL, i.e. handling pagination.
Tags
<php><security><zend-framework2><acl><rbac>
Title
Complex Righty System: ACL, RBAC and more what?
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USPowerKiKi
UserOwnerUserId
1. USpdobrigkeit
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
2. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POComplex Righty System: ACL, RBAC and more what?
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 POComplex Righty System: ACL, RBAC and more what?
 UserUserId
 USfeamsr00
 VoteTypeVoteTypeId
 VTFavorite
3. VO
 singulars
 PostPostId
 POComplex Righty System: ACL, RBAC and more what?
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. This table or related slice is empty.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.