Reputation: 28125
Where and how to store User Permissions?
Let's say my system is made up of two business object types: projects and users.
According to user permission, s/he can:
| Action | Role |
|-----------------|------------------|
| view projects | Clients |
| edit projects | Devs |
| manage projects | Managers |
| manage users | Administrators |
The problem is, clients can see only some specific projects. Projects can either be set as public (everyone sees them) or they can be set to be visible to certain specific clients.
Same with devs, a developer can be able to edit his own, as well as other projects as set by a manager. A manager should be able to create and manage users/projects unless an admin specifically denies that capability to the manager for specific projects. Admins have full access to manage anything on the system, including all users and all projects.
That's pretty muchwhat I'm trying to achieve. "How" is what is worrying me.
Usually, for the roles you would have a 'role' column in your user table, which would specify the kind of role the user has. Since we won't have clients that are developers at the same time, this column won't need to be a bitmask.
The next step would be to have a rule system to specify what users can access according to their role. It's impossible to fit this in existing tables (without array fields - which are kinda dirty), so I guess I will need a separate table.
This would look like:
| user_id | access | object_type | object_id |
|---------|---------|-------------|-----------|
| 45 | allowed | user | 42 | user 45 can manage user 42
| 42 | denied | project | 30 | user 42 cannot do anything with
project 30
The table must be used with the user roles. For example, if user 45 is a client, he cannot do anything to user 42 (even if the rule exists anyway).
On the other hand, I know I'm aiming at too much flexibility on this one, but I refuse to accept there isn't a way to achieve this kind of functionality.
So, the actual questions:
- Is this a good idea?
- Is there a better system?
- Any other suggestions?
Upvotes: 1
Views: 1543
Answers (1)
Reputation: 81
What makes up these projects?? Databases, files and folders, or what?
Are these projects database projects or something else?
database Briefly
CREATE USER 'monty'@'localhost' IDENTIFIED BY 'some_pass';
GRANT ALL PRIVILEGES ON *.* TO 'monty'@'%';
GRANT ALL PRIVILEGES ON project1.* TO 'user1'@'%';
GRANT ALL PRIVILEGES ON project2.* TO 'user2'@'%';
Optionally WITH GRANT OPTION;
If these projects contain files and folders then you should use file system permissions. What operation system and file system are you using? Linux file systems.
chgrp (change group)
chown (change owner)
Upvotes: 1
Related Questions
- Best Practice for Designing User Roles and Permission System?
- Storing application permissions in a database
- What is the efficient way to make a permission system?
- manage user permissions in php
- Best way to set permissions for a user
- Best way to store user permissions?
- User Permission Tree: How to get there?
- How to manage user access and user permissions
- Designing a multiple level user permission system
- PHP user permissions - best practice?