plz advise!! user rights..

[Jassim Rahma]

I have an application in C# and I want to assign rights based on the user
login. I have users table in the database and I wnat to know what is the
best way to manage the user rights?

 

[Tom Spink]

I have an application in C# and I want to assign rights based on the user
login. I have users table in the database and I wnat to know what is the
best way to manage the user rights?

Hi,

There are generally two basic approaches to this, capabilities and
access-control. Depending on your application, you need to decide which
way to go about this. Both of these approaches are inherently the same;
it's a way of deciding if an operation (i.e. performed by a user) is
allowed. But they differ on how the users rights are mapped to
resources/operations.

Using capabilities, when an operation is performed the program will check
the *user* and see if he has rights to perform the operation. Using
access-control, the program will check the *resource* and see if the user
has access.

So, capabilities is a list of rights a user has:

U1: {(R1,read), (R1,write), (R2,read)}
U2: {(R1,read)}
U3: {(R2,delete),(R3,read), (R3,write)}

And access control is a list of users who have access to a resource:

R1: {(U1, read), (U1, write), (U2, read)}
R2: {(U1,read), (U3,delete)}
R3: {(U3,read), (U3,write)}

Once you've decided how you want to approach this, the database relations
generally come naturally.

Once you have the relations, you can easily query the database based on how
you want to check permissions.

 

[PS]

I have an application in C# and I want to assign rights based on the user
login. I have users table in the database and I wnat to know what is the
best way to manage the user rights?

In addition to what Tom posted the relationship between a user and the
authorization can be a direct relationship or you can define roles and
assign the users to the particular roles. If there will be a large number of
users then it is likely that the requirements may be expressed more as
"Standard Users can not delete XYZ" rather than "John can not delete XYZ".
The role itself has the authorizations. There are also advantages in doing
this if the user is to have a mixed bag of authorizations based on the
context, i.e. on Active accounts they are a Power User, on Inactive Accounts
they are a Super User.

PS

 

[Tom Spink]

In addition to what Tom posted the relationship between a user and the
authorization can be a direct relationship or you can define roles and
assign the users to the particular roles. If there will be a large number
of users then it is likely that the requirements may be expressed more as
"Standard Users can not delete XYZ" rather than "John can not delete XYZ".
The role itself has the authorizations. There are also advantages in doing
this if the user is to have a mixed bag of authorizations based on the
context, i.e. on Active accounts they are a Power User, on Inactive
Accounts they are a Super User.

PS

Hi PS,

Good points! Something I thought about while reading this was your
working "Standard Users *can not* do this". It led me to think about
permission ordering, i.e. permissions that strictly allow and permissions
that strictly deny, rather then access control stating, "User A can read
this", we can have "User A can NOT read this" (which may override any
default permissions)