SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Member MartijnG's Avatar
    Join Date
    Apr 2005
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Alternative RBAC model?

    Hi,

    I'm busy making my own CMS, and I have chosen to use a RBAC system for my security and authorization/authentication work. For my system I have worked out this database model;
    Code:
    ## Users
    CREATE TABLE users
    (
      u_id INT (7) UNSIGNED AUTO_INCREMENT PRIMARY KEY,
      u_name VARCHAR(255) NOT NULL default '',
      u_username VARCHAR(255) NOT NULL default '',
      u_password VARCHAR(32) NOT NULL default '',
      u_email VARCHAR(255) NOT NULL default '',
      u_active ENUM('Y', 'N')
    ) TYPE=MyISAM;
    
    ## Roles
    CREATE TABLE roles
    (
      r_id INT(6) UNSIGNED AUTO_INCREMENT PRIMARY KEY,
      r_name VARCHAR(255) NOT NULL default ''
    ) TYPE=MyISAM;
    
    ## Permissions
    CREATE TABLE permissions
    (
      p_id INT(6) UNSIGNED AUTO_INCREMENT PRIMARY KEY,
      p_name VARCHAR(255) NOT NULL default ''
    ) TYPE=MyISAM;
    
    ## UserRole
    CREATE TABLE user_role
    (
      u_id INT(7) UNSIGNED default '0',
      r_id INT(6) UNSIGNED default '0'
    ) TYPE=MyISAM;
    
    ## RolePermission
    CREATE TABLE role_permission
    (
      r_id INT(6) UNSIGNED default '0',
      p_id INT(6) UNSIGNED default '0'
    ) TYPE=MyISAM;
    Now the point is that, if I want to check e.g. "Has x got permisions to edit this article?", then I must use some kind of code like;
    PHP Code:
    if ( $user->hasPermission ('editArticle') )
    {
        
    // Edit article

    Now the problem is, if I use this method, I should exactly know which permissions I can have, and mak checks for them, otherwise I can't check a permission that isn't defined in the checks (e.g. I can't set revokePermission in my admin panel / database if it isn't checked in the code).

    Now my question is, is there an alternative way of linking en role to a permission and a permission OF THAT USER / ROLE to a operation (like CRUD)?

    [PS: I've read several topics in this forum containing discussion about RBAC Moddeling and linked things, but I can't come op with anything else like this.]

    MartijnG

  2. #2
    SitePoint Member MartijnG's Avatar
    Join Date
    Apr 2005
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I still haven't found a solution for my problem, although I tried several things. Isn't there anyone who can help me out?
    Proud to be Dutch
    Currently developing a CMS

  3. #3
    SitePoint Wizard
    Join Date
    Aug 2004
    Location
    California
    Posts
    1,672
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The first thing I's want to know is how complex a system you need. Perhaps a simple articles permissions table might be enough:
    Code:
    CREATE TABLE user_role
    (
      u_id INT(7) UNSIGNED default '0',
      article_id INT(7) UNSIGNED default '0'
    ) TYPE=MyISAM;
    As long as you keep the interface to the permission system behind an interface you can keep adding complexity.
    Christopher

  4. #4
    SitePoint Wizard Ren's Avatar
    Join Date
    Aug 2003
    Location
    UK
    Posts
    1,060
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Not sure what your problem is exactly.. but instead of checking the permissions in PHP you could do it in the SQL, and just pass the user primary key.. (Assuming using a recent version of MySQL, as DELETE/UPDATE requires subqueries)

    Code:
    INSERT INTO Articles(Title, Body)
             SELECT 'New Article', 'New Article Body' 
                FROM user_role AS ur 
                     INNER JOIN role_permission AS rp ON ur.r_id = rp.r_id
                     INNER JOIN permissions AS p ON rp.p_id = p.p_id
                WHERE ur.u_id = 1 AND p.p_name = 'addArticle';
    Wouldn't insert a row unless the user with id 1 had the addArticle permission.

  5. #5
    SitePoint Member MartijnG's Avatar
    Join Date
    Apr 2005
    Posts
    3
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    @arborint: Im using different modules, like an article-system, a newsletter system, a forum etc. What I want is an easy and flexible system. I want to be possible to add roles in my adminpanel (for certain areas), and therefore I don't want to keep changing the code ;-)
    Proud to be Dutch
    Currently developing a CMS

  6. #6
    SitePoint Member
    Join Date
    May 2005
    Posts
    1
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    RBAC Choices

    If you look at the various security models available (for example J2EE) they are based on the design that each application will know about the Permission that a user needs to perform an action. Now the RBAC allows you to map those known permissions to Roles which are declared as a part of product definition. Then you assign these Roles to the users at runtime and then validate whether a user belongs to a role at runtime in your code to decide whether they are allowed to perform action that they are trying to accompalish. In this scenario the application will expose pre-defined roles and not permission. Since this model does not define role to permission mapping the roles that finally get implemented contains the information about the resource and permission themselves.
    Then the other model is the model that you are trying to implement which basically works by asking the question
    Can <username> perform <action> on <resource>?
    where action correlates to the permission you are talking about!!
    In this scenario the roles are defined at runtime and access rules are created in the form Allow/Deny <role> the permission to perform <action> on <resource> if <condition> and then user's are assigned roles!! This is a better but more complex model to implment than the original RBAC.
    W.r.t. implementation of this model, one of the approach available is as you have described where the code itself contains the name of the action embedded in it. But another possible way esp. in web based system is ability to utilize the URL for making the authorization permission so that for a URL of the form
    <site.com>/product/module/resource?action=permission
    you can implement a servlet filter or some generic authorization module that extracts the resource name, permission from URL and user name from session information to ask the question defined above.
    Hope this helps. www.jroller.com/page/sjha/20040626
    Last edited by shekhar-jha; May 3, 2005 at 02:52.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •