开发者

Applying Linux Group Ideology to Web Applications

开发者 https://www.devze.com 2023-01-28 00:10 出处:网络
I have built a database driven web application that has a user and group system that works in a similiar way that Linux handles user access.

I have built a database driven web application that has a user and group system that works in a similiar way that Linux handles user access.

Breif explanation:

A user can access various resources, the resources are assigned to a single group and users can have many groups.

Users

id   name  
--   -------  
1    RedRanger 
2    GreenRanger
3    BlueRanger

Group Assignment

user group
---- -----
1       33
1    44
1    55
2    33
2    44
3    33
3    44
3    55
3    66

Group description

gid name  
--- ----  
33  user  
44  things  
55  stuff  
66  foo  

Resource

name group
---- -----
a    33
b    33
c  开发者_开发知识库  33
x    44  
y    55
z    66

RedRanger can access a, b, c, x and y but not z

GreenRanger can only access a, b, c and x

BlueRanger can access a, b, c, x, y and z

Lets say that RedRanger needs to be denied access to resource a

if I remove him from group 33 he can no longer access b or c which is no good.

The only alternative is to change a's group and add everyone else to the new group, this isn't so bad for 3 users, but what about 3,000?

If this situation occurs often there will soon be a mess of groups.

What is the best approach to this problem?


A resource should be able to "belong" to more than one group, rather than just one. This limitation really restricts the design.

You're part way towards a RBAC system; have a read over it and see how you could be a little bit more flexible for a better result.


It sounds like RedRanger no longer fits role (group) 33 and a new role needs to be created with access to the features (resources) that fit this new role. 3 users vs. 3,000 users is just a matter of doing the change in an admin UI vs. a sweeping database update.

0

精彩评论

暂无评论...
验证码 换一张
取 消