Question

Does anyone know of some good resources related to setting up heirarchical user account systems? I'm currently setting one up and am struggling with some of the more complex logic (especially with determining permissions). I was hoping I might be able to find some resources to help me along.

Some Background: I'm building a user account system for a web CMS that allows for a nested group hierarchy. Each group can be allowed/denied access to read, write, add, and delete (either explicitly for that group, or implicitly by one of its parents). As if that weren't complicated enough, the system also allows for users to be members of multiple groups. -- This is where I'm stuck. I've got everything set up, but I'm struggling with the actual logic for determining pemissions for a given user.

Was it helpful?

Solution

The manual for CakePHP has an excellent description of how Access Control Lists work.

http://book.cakephp.org/2.0/en/core-libraries/components/access-control-lists.html

OTHER TIPS

Represent the permissions set for a given group as a bit mask. OR-ing the bit masks together will give you the resultant permission set.

Update for @Alex:

I wrote this answer 3 years ago, but I believe I was alluding to the following...

From the question

a nested group hierarchy. Each group can be allowed/denied access to read, write, add, and delete (either explicitly for that group, or implicitly by one of its parents). As if that weren't complicated enough, the system also allows for users to be members of multiple groups. -- This is where I'm stuck. I've got everything set up, but I'm struggling with the actual logic for determining pemissions for a given user.

Assign a bitmask matching the total permission set of a group (or role) in the system:

e.g. 00 (using two bits keeps it simple here!)

The first bit confers Permission A and the second Permission B.

Now say Group A confers the following permission set: 01.

... and say Group B confers the following permission set: 10.

To get the resultant permission set for a user in an arbitrary set of groups you could perform a logical OR on the permission set bit masks:

Permission set for Group A   01
Permission set for Group B   10 OR 
                             ----
Resultant permission set     11 (i.e. both permission A and B are conferred)

I do not know the details of the questioner's system, but the system outlined here could be augmented to achieve different group-composition behaviors using different logical operators.

Look at the permissions in the Andrew File System. It allows users to create and administer groups of their own, while selectively assigning admin rights and ACLs. You might find that many of the pesky details are already worked out for you in their model.

Edit: here's a better link to AFS documentation:

http://www.cs.cmu.edu/~help/afs/index.html

Here's the section on groups:

http://www.cs.cmu.edu/~help/afs/afs_groups.html

I've done exactly this before and its no trivial implementation. You're going to want to look at the SecurityPermission class.

[http://msdn.microsoft.com/en-us/library/system.security.permissions.securitypermission.aspx][1]

I have done this before by utilizing XML (which I'm not sure I'd do again) and storing that XML as permission list inside of SQL server in an XML column through a CLR stored proc. The XML would have an element called a "permission" and then the permission would actually be a ENUM inside of the code. Each permission was a new implementation of the SecurityPermission class (linked above) Users were tied to groups which were defined in SQL server and then as the user was added/removed to groups, the XML doc would get updated to reflect which groups they were apart of.

As soon as the user logged in, the users credentials would be loaded into the application store (session) and then would be accessed accordingly. When authorization needed to take place the XMl in the application store would be pulled down loaded into the SecurityPermission via the "FromXML" method. At that point I would use the following methods to determine if the user had permission:

  • Demand
  • Intersect
  • Union
  • IsUnrestricted
  • IsSubSetOf

etc., etc, etc.

At that point after performing the Demand I was able to determine if the caller had access according to how I implemented my security routines in the SecurityPermissions.

Again, this is leaving out a TON of detail, but this should get you going down the right path.

Take a look at this name space as well: [2]: http://msdn.microsoft.com/en-us/library/system.security.permissions.aspx "System.Security.Permissions"

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top