Reputation: 227
Best way to implement RBAC with Access
I'm programming a new application with many users, a few roles and specific permissions for those roles. For that I want to create the following tables:
Users (ID,Login, password,..)
Roles(ID,Rolename)
User_Roles(User_ID, Role_ID)
Permissions(ID,PermissionName)
Permission_Roles(Permission_ID, Role_ID)
My idea was to build a function, which allows to check if a user has a specific permission to access a form. I would do that by creating Permissions/Rules like 'canReadFormX', 'canEditFormX' which would allow me to use one main function to check and perfom those specific rules and a function per form to call it.
Is that a way to go (or rather did I understand everything correctly regarding RBAC) or is that just far to complicated? Any advise is very appreciated!
Upvotes: 0
Views: 481
Answers (1)
Reputation: 11138
It seems fair to me, and similar to what we have already set, for the first 3 tables.
You then have to solve the 'action' problem, ie to distribute permissions to use your appl's actions. I am not sure that your 'Permissions' proposal will cover all the situations, as you have to deal with 2 major categories of actions:
- The 'Open form' actions, that you already have identified: you effectively have to define 2 levels of authorisation for each form: the 'view' right, and the 'update' right.
- All other actions, such as form specific buttons or menus, that will allow you to run a specific action other than just opening a form (execute a report, make a specific calculation, automatically import or update data, etc).
One solution/My advice is to maintain 2 tables for this:
- A 'Forms' table
- An 'Actions' table
And the corresponding link tables:
- A 'Form_Role' table
- An 'Action_Role' table
With such a configuration, you are fully covered. You can even decide which role has the right to see a specific report on a specific form, as long as the corresponding action is accessed through a specific control or menu on the form.
Both Forms and Actions tables are very interesting as they both participate in your application metamodel...
EDIT: By the way, if you are on a domain, you can use user's domain credentials to control his\her access rights to your system. In this case you do not need to store a password in your RBAC system.
Upvotes: 2
Related Questions
- Too many roles with RBAC. Alternatives?
- RBAC + ABAC hybrid access control model
- What best practices or access control models are recommended for implementing fine-grained access control
- Designing a role based access control with support for relations
- RBAC system with two parameters
- Need some advice on my own Role Based Access Control (RBAC)
- Role-based access control for a WPF app - best practices
- Is this a good strategy for implementing access control?
- In which layer to implement RBAC in a web application?
- Resource Based Access Control vs Role Based Access Control