|
| Need Advise WD17 - User Access Management |
| Iniciado por guest, 14,nov. 2014 05:55 - 2 respuestas |
| |
| | | |
|
| |
| Publicado el 14,noviembre 2014 - 05:55 |
Dear All,
In a software that I am developing I am using web service to access remote database which is MySQL.
As I am not using the native HFSQL Classic or Server it would not be possible to implement Groupware for user access rights management.
To handle users and their access rights here is what I am doing:
I have create three tables
Table 1 is Privilege master (priv)
Table 2 is User master (usr)
Table 3 is User Privilege (usrpriv)
Here are the structure of these tables as dumped by MySQL phpMyAdmin:
-- -- Table structure for table `priv` -- CREATE TABLE IF NOT EXISTS `priv` ( `priv_id` int(11) NOT NULL AUTO_INCREMENT, `priv_module` text, `priv_name` text, `priv_descrip` text, PRIMARY KEY (`priv_id`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=2 ; -- -------------------------------------------------------- -- -- Table structure for table `usr` -- CREATE TABLE IF NOT EXISTS `usr` ( `usr_id` int(11) NOT NULL AUTO_INCREMENT, `usr_username` text, `usr_propername` text, `usr_passwd` text, `usr_initials` text, `usr_active` tinyint(1) NOT NULL DEFAULT '1', `usr_email` text, PRIMARY KEY (`usr_id`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=2 ; -- -------------------------------------------------------- -- -- Table structure for table `usrpriv` -- CREATE TABLE IF NOT EXISTS `usrpriv` ( `usrpriv_id` int(11) NOT NULL AUTO_INCREMENT, `usrpriv_priv_id` int(11) DEFAULT NULL, `usrpriv_usr_id` int(11) DEFAULT NULL, PRIMARY KEY (`usrpriv_id`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;
What I am planning to do is enter all the features that are necessary for the users in the priv table taking care to note down the automatically generated RecID (priv_id).
Then in a Global module I am creating constants names as per user rights name and assigning them value as per the auto generated RecID.
Now when a user is assigned an access right I am saving the same info in usrpriv table.
When a user logs in and tries to access any part of the software I will first check whether the user has the required rights (in usrpriv table) to access that part of the software or not and then allow access or deny access.
What I am doing seems to work at experimental level.
I would like to know if this is the right way to go?
Another thing is that this way is quite laborious as I have always keep the priv table and my list of constants in sync.
Is there any easier way to manage user access rights then this that anyone has been using successfully and would like to share please to share it here?
TIA
Yogi Yang |
| |
| |
| | | |
|
| | |
| |
| Publicado el 14,noviembre 2014 - 11:57 |
Yogi
First thing I would suggest is that you use InnoDB as your database engine and not MyISAM especially if data integrity is an important consideration.
There are plenty of articles discussing the pro and cons on Google.
For your user access solution it is a case of 'what works for you'.
Without knowing your application and its requirements it is impossible to give a judgement.
What I would suggest is that you have a 4th table containing 'Roles'.
Users are then assigned a role and it is the role that has the underlying privileges.
Then in your coding your logic should be able to accommodate users that have more than one role assigned with the 'greater' access taking preference.
Good luck on this one.
The last one I wrote (for an MDI app) took about 10 days but this controlled not only access to the windows but the functionality available on the window itself (Tabs, Buttons etc). |
| |
| |
| | | |
|
| | |
| |
| Publicado el 14,noviembre 2014 - 12:01 |
Hi
there are many different ways to manage that problem. You can by example add a PROFILE functionality, in order to save management time. You create a profile per job (by example, secretaries, sales people, mechanics...) Each profile gets a set of permissions.
This way, you just have to set for each user which profile (or profileS) he is part of. At that point, you can of course also OVERRIDE the profile by adding or removing individual permissions, if somebody is assigned one specific task and you don't want to create a profile for it.
Now, depending on the application and the local needs, the permission system can be:
- nothing but the permissions given
-OR-
- everything but the permissions removed... This version allow any NEW module to be available to everyone by default, without having to change anything. So this system is good in a case where only a few very specific task are blocked.
As to your analysis organization, once again, there are many way to manage this. I do all of the things described above with a class and ONE parameter data file, with nearly all the information in a Name=Value text memo field. That doesn't mean that your choice is wrong, of course <img src="/NG2013_WEB/ui/smiley/1.gif" align=absmiddle border=0 alt=":-)">
Best regards |
| |
| |
| | | |
|
| | | | |
| | |
|