Databases
StackOverflow2013
Postsdbo
PORestricting access to objects in an application
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PORestricting access to objects in an application
    primarykey
    data
    text
    <p>One problem that I come across regularly and yet don't have a solution to is to restrict or permit access to specific entities in a system. Some companies (banks, for example) have very strict policies regarding which employees may access certain information. For example, an employee at a specific branch may access account information for customers of that specific branch but not from other branches. Also, banks that have branches in many countries may be subject to legal restrictions that restricts employees in other countries from accessing information about domestic customers.</p> <p>Another example I've come across is a public website where users belong to a specific entity (such as a company) and may access information regarding that entity only and not other entities.</p> <p>If the number of entities is small and fixed, this is not a problem. Simply specify domain groups in the active directory (if you're working in Microsoft environments, which is the case for me), add users to the groups and restrict access using IsInRole() for each entity. So if there is a company called ABC in the system I'd create a domain group called "Admins_ABC" or something like that and when a user tries to administer information about ABC, I'd make sure the user is a member of that group. This is not really the way the AD is intended to be used, but for a small number of entities I've found it reasonable.</p> <p>The complexity increases when the number of entities change often and when the requirements become more detailed. I've seen security requirements that are similar to security in NTFS - some users (or groups of users) should be able to access some entities (files in NTFS) or groups of entities (the permissions that are set on directories in NTFS are propagated to it's children). </p> <p>I try to avoid situations like these because they tend to be a nightmare to model and code and they usually become complex to administer, but the customers I work with often need solutions to this problem.</p> <p>Like I said, I have never actually solved this problem in a <em>good</em> way. How would you go about modeling and developing a solution for this problem in a way that can be reused? Do you know of any general, proprietary solutions that can be used?</p>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. This table or related slice is empty.
    1. USKarl
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. PORestricting access to objects in an application
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PORestricting access to objects in an application
      1. UScfeduke
      1. VTFavorite
    3. VO
      singulars
      1. PORestricting access to objects in an application
      1. This table or related slice is empty.
      1. VTUpMod
    1. This table or related slice is empty.
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload