How to Manage Role Based User Rights

Introduction

The main issue behind the failure of any automated system is the presence of loopholes in the security system or the bugs in rights management.

• Unauthenticated visitors getting access to the system
• Unauthorized users getting rights to access the critical areas

Popular Approaches Used In Common Practice

• Managing user rights in session object
• Fetching permission from database for every Webform (database overhead)
• Complexity of overall process is O(n²)
• E.g. if there are 1000 users
• There are 300 Web forms
• There are 20 types of rights, i.e. Add, Edit, Delete,
  Reconciliation level 1, Reconciliation level n, View,
  Print, Cash removal, etc.
• It means there will be 1000 X 300 records in database for user rights (300000 records).
• It means there will be 1000 X 300 X 20 cells to be fetched for rights management (6000000 cells)

Proposed System

• Storing Rights
  • Define bit value for every right
  • Define string containing bit wise rights information for particular Webform
  • Maintain data structure e.g. HASHTABLE to store bitwise rights string for corresponding Webform
  • Serialization:
    • Serialize the data structure
    • To store the data structure into database or storage media
  • Store the serialized data structure into the database for a particular user against userid
• Fetching Rights
  • Based on the userid, fetch one record from the database (serialized data structure)
  • De-serialize the data structure
  • Store the data structure into a session object
• Implementing Security System
  • Authentication Procedure
    • Get details from database based on username and password
    • If successful, opt for authorization procedure per Webform
    • If unsuccessful, let the user on login gateway
  • Authorization Procedure (Web form based)
    • Based on userid from session object and comparing to the corresponding bitwise string Webform wise, fetch the rights string
    • Make the corresponding buttons, links, contents enabled/disabled based on bit value for corresponding rights
• Process Flow
  • Complexity of overall process is O(n)
    • There are 20 types of rights
    • It means we are having a string of type VARCHAR(20) only for storing access rights per Webform
    • There are 300 Webforms
    • It means we'll be having a tabulated data structure having 300 rows with 2 columns
    
    

    WebForm Name / ID	Bitwise Rights String
    Default.aspx	11111111111111111111
    Login.aspx	11111111111111111111
    Userhome.aspx	11010101001000000000

  • Post serialization, we'll be having only a single value to be stored into a database for a complete data structure
  • If there are 1000 users
    • Only 1000 records will be there in the database
    • Only 1000 cells to be fetched from database for rights management
• For more secure environment, Triple DES encryption can be used for storing and retrieving bitwise rights string

Points of Interest

• Length of bitwise right's string should be kept according to the number of available rights
• Encryption should be used as per the environment

Loopholes

• More overhead for managing rights per user
• Time taken for updating the number of forms i.e. adding new forms and maintaining rights

Possible Solution

• Saving information in database for a particular roleid instead of userid
• Managing roles per userid
• 1:N relationship between userid and roleid
• Having a procedure for fetching rights using logical OR operator for multiple roles assigned for any userid

Still to Come......

• Full fledged solution with case study from novice level prototype model to advanced implementation of user rights

History

• 21^st June, 2007: Initial post