multi-department authentication strategy

[bender]

client's application is running on IIS5, created with FP2003 and ASP

6 departments, each department has a different password.
loggin in assigns their session(authenticated) variable to 1 thru 6,
or 9 for a manager who can access all departments.

variable comes from an access d/b with 3 fields, user, password, and
level.

at the begining of each department page i have an include file inside
a logic test:

<%If Session("Authenticated") < 9 Then%>
<!-- #include file="export.inc" -->
<%End IF%>

this allows managers etc., who have level 9 to access all pages, and
the include file tests to check if the user has the proper level to be
in the page, or they are sent back to the login page.

works fine....except....

now the client wants some users to have access to more than one page
without having to log into each page separately. so some users might
have access to department 1 and 4, or 3 and 2 and 5, etc., etc.

I'd like to make a manager's page with radio buttons that can give yes
or no values to additional fields in their access database so that ppl
can have multi-department access. then, instead of a "level" field in
access, i would add 6 yes or no fields for each department, and (in an
access query table) a concatenated field which would be a combination
of the 6 fields. so it's value might be something like: 101011
which would give ppl access to department 1, 3, and 5 and 6

then i would just have to figure out some asp logic test at the
beginning of each field to test authentication (tho how, i'm not sure
yet)

this is my initial strategy, which usually turns out to be pretty
bone-headed.

any suggestions for a better plan, or an idea for a logic test that
can test one of six values in six string value?

and no, the client does not want to use NT authentication where i
could use groups, etc.

thanks,

Larry
- - - - - - - - - - - - - - - - - -
"Forget it, Jake. It's Chinatown."

 

[Kevin Spencer]

Hi Larry,

We had a similar problem when designing one of our sites. We ended up
adopting the same model that Microsoft uses, which is to create groups and
users, and assign users to groups. Each user can belong to any number of
groups, and the groups are what determines the permissions. The thing I like
about this model is that it can handle any configuration of security that
you wish. The users and groups are stored in a database, and each page has a
collection of groups that has acces to it, also stored in the database. The
nicest part is that all that is needed to change permissions is to modify
the database records. In our case, we used ASP.Net, so we were able to
create an inherited class from System.Web.UI.UserControl that handles all
the permissions "behind the scenes" (in the base class). With ASP, it would
probably involve the use of a Server-side include in each page.

--
HTH,
Kevin Spencer
..Net Developer
Microsoft MVP
Big things are made up
of lots of little things.

 

[bender]

Hi Larry,

We had a similar problem when designing one of our sites. We ended up
adopting the same model that Microsoft uses, which is to create groups and
users, and assign users to groups. Each user can belong to any number of
groups, and the groups are what determines the permissions. The thing I like
about this model is that it can handle any configuration of security that
you wish. The users and groups are stored in a database, and each page has a
collection of groups that has acces to it, also stored in the database. The
nicest part is that all that is needed to change permissions is to modify
the database records. In our case, we used ASP.Net, so we were able to
create an inherited class from System.Web.UI.UserControl that handles all
the permissions "behind the scenes" (in the base class). With ASP, it would
probably involve the use of a Server-side include in each page.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Thanks. Having decided for the time-being not to go the ASP.Net
route, I am indeed going to use Server-side includes in each page, and
i'm formulating the string manipulation to test if first thru sixth
character in the string is a 1 or a 0, depending on the page. Not
elegant, but i think it will be effective an let me give the manager a
page to add or remove permissions.

Larry
- - - - - - - - - - - - - - - - - -
"Forget it, Jake. It's Chinatown."

 

[Randy Birch]

You might want to try using security levels raised to the power of 2. This
provides the ability to AND the value with a desired level to determine if
the user has access rights to that level.

For example, you change your security level structure from 1, 2, 3, 4, 5, 6,
7, 8, 9 to 1, 2, 4, 8, 16, 32, 64, 128 and 255. The value 255 evaluates true
for any of the preceding values.

Then, in your code, you use AND to test for the level. Assuming the user's
current access security level is stored in the variable 'seclevel', you
would use:

if (seclevel AND <RequiredSecurityLevel>) Then
' let them in
end if

Using the values and variables above, if the user had a security level of 1,
the following tests and results would occur (I use Visual basic to do the
test, so the code is in VB):

seclevel = 1

Debug.Print seclevel And 1
Debug.Print seclevel And 2
Debug.Print seclevel And 4
Debug.Print seclevel And 8
Debug.Print seclevel And 16
Debug.Print seclevel And 32
Debug.Print seclevel And 64
Debug.Print seclevel And 128
Debug.Print seclevel And 255

results:

1
0
0
0
0
0
0
0
1

This means the user at level1, and the user with level 255, could access the
page. Ditto, if seclevel = 2 the result would be:

0
2
0
0
0
0
0
0
2

Only level2 members, and the managers at level 255, would have access.

Since adding the numbers together performs a bitwise addition -- similar to
your use of 00100011 to determine the level -- users who should access
different things are given a level equal to the total. For example, a user
with seclevel=3 would get access to the 1 and 2 level files:

1
2
0
0
0
0
0
0
3

Ditto, if their access level was 14, they could access the second, third and
fourth items (values 2, 4 and 8), while the manager could access all:

0
2
4
8
0
0
0
0
14

The user with seclevel 221 could access the first, third, fourth, fifth,
seventh and eighth level:

1
0
4
8
16
0
64
128
221

To build the value to assign to each employee, you use OR to add the values
of each desired security level together to obtain the final seclevel:

seclevel = 1 Or 4 Or 8 Or 16 Or 64 Or 128

.... which results in a value of 221.


--

Randy Birch
MVP Visual Basic
http://vbnet.mvps.org/
Please respond only to the newsgroups so all can benefit.


: client's application is running on IIS5, created with FP2003 and ASP
:
: 6 departments, each department has a different password.
: loggin in assigns their session(authenticated) variable to 1 thru 6,
: or 9 for a manager who can access all departments.
:
: variable comes from an access d/b with 3 fields, user, password, and
: level.
:
: at the begining of each department page i have an include file inside
: a logic test:
:
: <%If Session("Authenticated") < 9 Then%>
: <!-- #include file="export.inc" -->
: <%End IF%>
:
: this allows managers etc., who have level 9 to access all pages, and
: the include file tests to check if the user has the proper level to be
: in the page, or they are sent back to the login page.
:
: works fine....except....
:
: now the client wants some users to have access to more than one page
: without having to log into each page separately. so some users might
: have access to department 1 and 4, or 3 and 2 and 5, etc., etc.
:
: I'd like to make a manager's page with radio buttons that can give yes
: or no values to additional fields in their access database so that ppl
: can have multi-department access. then, instead of a "level" field in
: access, i would add 6 yes or no fields for each department, and (in an
: access query table) a concatenated field which would be a combination
: of the 6 fields. so it's value might be something like: 101011
: which would give ppl access to department 1, 3, and 5 and 6
:
: then i would just have to figure out some asp logic test at the
: beginning of each field to test authentication (tho how, i'm not sure
: yet)
:
: this is my initial strategy, which usually turns out to be pretty
: bone-headed.
:
: any suggestions for a better plan, or an idea for a logic test that
: can test one of six values in six string value?
:
: and no, the client does not want to use NT authentication where i
: could use groups, etc.
:
: thanks,
:
: Larry
: - - - - - - - - - - - - - - - - - -
: "Forget it, Jake. It's Chinatown."