Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>The problem I see with assigning a role based on what a user does/has is that it hardcodes rules in your code. The implicit rule in your example is:</p> <pre><code>deny user access when user has property/behavior X </code></pre> <p>A way to see this is hardcoded is to ask yourself what would happen if you wanted to adjust it. Suppose you found the suspicious behaviour a bit too strict and want to tolerate some more, then you would have to go into the file.php and change it.</p> <p>I think your best bet is to look into the assertion part of the rules:</p> <p><a href="http://framework.zend.com/manual/en/zend.acl.advanced.html" rel="nofollow noreferrer">http://framework.zend.com/manual/en/zend.acl.advanced.html</a></p> <p>Depending on your specific needs these can be a good solution.</p> <p>edit: answer to comment -> I appreciate the point you make. I think it points to why RBAC will be replaced by more powerful access controls like attribute based access control. This will allow rules based one the attributes of users and objects/resources under control. Ideally you want the access control to have as much permission decision logic in it as possible. When you assign roles to users implicitly some of the decision making will be outside of the access control (eg what user will be administrator is mostly determined by things like who owns the website). But you want to minimize the decision making outside of the acl because it adds a layer of access that is not controled by the acl. Thus deciding who will have a particular role is often implied and outside the acl. But still it is the are of access control, determined by some logic, and it's best to keep as much logic inside the program that has the responsability to handle this domain. Hope this rambling makes sense :-)</p>
    singulars
    1. This table or related slice is empty.
    1. POAccess Control List Best Practices - ACL - Setting Negative Roles for Users who Attack a Site
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USkoen
    1. USkoen
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    1. COThanks for this answer. I'm a bit more confused now, though. If you don't assign a role on the basis of what a user does/has. What is a role based on? I guess what a user 'is'. But, that seems to be derived from what someone does or has. Philosophers have spent a few years deliberating this question too, I think. Therefore I am... [message cut due to character limit] :o)
      singulars
      1. PO
      1. USJW.
    2. CO@JW added response in my answer also because of character limit
      singulars
      1. PO
      1. USkoen
    3. COI see what you mean. Keeping it all in one place makes it easier to manage. I have done some extra thought on the idea of a "negative" role and realise that it was a silly idea anyway. I will answer that in an 'answer post'. Nevertheless your comments have been very useful.So, thanks.
      singulars
      1. PO
      1. USJW.
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload