Alternative RBAC model?

[MartijnG]

Hi,

I'm busy making my own CMS, and I have chosen to use a RBAC system for my security and authorization/authentication work. For my system I have worked out this database model;

Code:

## Users
CREATE TABLE users
(
  u_id INT (7) UNSIGNED AUTO_INCREMENT PRIMARY KEY,
  u_name VARCHAR(255) NOT NULL default '',
  u_username VARCHAR(255) NOT NULL default '',
  u_password VARCHAR(32) NOT NULL default '',
  u_email VARCHAR(255) NOT NULL default '',
  u_active ENUM('Y', 'N')
) TYPE=MyISAM;

## Roles
CREATE TABLE roles
(
  r_id INT(6) UNSIGNED AUTO_INCREMENT PRIMARY KEY,
  r_name VARCHAR(255) NOT NULL default ''
) TYPE=MyISAM;

## Permissions
CREATE TABLE permissions
(
  p_id INT(6) UNSIGNED AUTO_INCREMENT PRIMARY KEY,
  p_name VARCHAR(255) NOT NULL default ''
) TYPE=MyISAM;

## UserRole
CREATE TABLE user_role
(
  u_id INT(7) UNSIGNED default '0',
  r_id INT(6) UNSIGNED default '0'
) TYPE=MyISAM;

## RolePermission
CREATE TABLE role_permission
(
  r_id INT(6) UNSIGNED default '0',
  p_id INT(6) UNSIGNED default '0'
) TYPE=MyISAM;

Now the point is that, if I want to check e.g. "Has x got permisions to edit this article?", then I must use some kind of code like;

PHP Code:

if ( $user->hasPermission ('editArticle') )
{
    // Edit article
} 


Now the problem is, if I use this method, I should exactly know which permissions I can have, and mak checks for them, otherwise I can't check a permission that isn't defined in the checks (e.g. I can't set revokePermission in my admin panel / database if it isn't checked in the code).

Now my question is, is there an alternative way of linking en role to a permission and a permission OF THAT USER / ROLE to a operation (like CRUD)?

[PS: I've read several topics in this forum containing discussion about RBAC Moddeling and linked things, but I can't come op with anything else like this.]

MartijnG

[MartijnG]

I still haven't found a solution for my problem, although I tried several things. Isn't there anyone who can help me out?

[arborint]

The first thing I's want to know is how complex a system you need. Perhaps a simple articles permissions table might be enough:

Code:

CREATE TABLE user_role
(
  u_id INT(7) UNSIGNED default '0',
  article_id INT(7) UNSIGNED default '0'
) TYPE=MyISAM;

As long as you keep the interface to the permission system behind an interface you can keep adding complexity.

[Ren]

Not sure what your problem is exactly.. but instead of checking the permissions in PHP you could do it in the SQL, and just pass the user primary key.. (Assuming using a recent version of MySQL, as DELETE/UPDATE requires subqueries)

Code:

INSERT INTO Articles(Title, Body)
         SELECT 'New Article', 'New Article Body' 
            FROM user_role AS ur 
                 INNER JOIN role_permission AS rp ON ur.r_id = rp.r_id
                 INNER JOIN permissions AS p ON rp.p_id = p.p_id
            WHERE ur.u_id = 1 AND p.p_name = 'addArticle';

Wouldn't insert a row unless the user with id 1 had the addArticle permission.

[MartijnG]

@arborint: I´m using different modules, like an article-system, a newsletter system, a forum etc. What I want is an easy and flexible system. I want to be possible to add roles in my adminpanel (for certain areas), and therefore I don't want to keep changing the code ;-)

[shekhar-jha]

If you look at the various security models available (for example J2EE) they are based on the design that each application will know about the Permission that a user needs to perform an action. Now the RBAC allows you to map those known permissions to Roles which are declared as a part of product definition. Then you assign these Roles to the users at runtime and then validate whether a user belongs to a role at runtime in your code to decide whether they are allowed to perform action that they are trying to accompalish. In this scenario the application will expose pre-defined roles and not permission. Since this model does not define role to permission mapping the roles that finally get implemented contains the information about the resource and permission themselves.
Then the other model is the model that you are trying to implement which basically works by asking the question
Can <username> perform <action> on <resource>?
where action correlates to the permission you are talking about!!
In this scenario the roles are defined at runtime and access rules are created in the form Allow/Deny <role> the permission to perform <action> on <resource> if <condition> and then user's are assigned roles!! This is a better but more complex model to implment than the original RBAC.
W.r.t. implementation of this model, one of the approach available is as you have described where the code itself contains the name of the action embedded in it. But another possible way esp. in web based system is ability to utilize the URL for making the authorization permission so that for a URL of the form
<site.com>/product/module/resource?action=permission
you can implement a servlet filter or some generic authorization module that extracts the resource name, permission from URL and user name from session information to ask the question defined above.
Hope this helps. www.jroller.com/page/sjha/20040626