Click here to Skip to main content
15,884,628 members
Search within:


How to maintain different security levels
Please Sign up or sign in to vote.
4.00/5 (1 vote)
See more:
Java
Hi All,

Language is JAVA

I'm trying to develop a inventory conrol system(for my information & as a preparation of diploma project).
Here I definetely need to create users on the software.
According to my plan, there must be three kind of users at least.
that is,

01. Admin level users = can use any button, link, form. create,change & delete records & item lists

02. Sales level = can only generate Invoices, print bills & send to security team
confirmation.

03. Security team level = can only view Invoices & confirm it is delivered.

another goal is, some users should have both Sales level & security team level.

My program must have capability to change users capabilities if admin level users need.
(just like windows security group assignment) Here I can't depend on windows security groups because this software is developed as platform independant ie: program should work on both windows & linux.

I have no idea how to achive this goal.
I need an idea from an EXPERT.
Language is JAVA


Please help........
Posted
Add a Solution
Comments
Sergey Alexandrovich Kryukov 13-Aug-14 4:48am    
I up-voted this question by 4. This problem is really important, not very trivial and pretty interesting. From the other hand, not 5, because I think you are going not in a very correct direction; it is explained in detail in my answer.
—SA

3 solutions

It looks like you are talking about design of security level related exclusively to your application system. It makes all technological problems irrelevant (or trivial); it all is the matter of adequate design.

I want to give you one general advice, something which would help you to avoid some very typical mistakes based on misunderstanding of the customer view of this.

Now, here is the idea: don't define those level the way you try to formulate. I'll explain why. By formulating and even by naming those levels, you try to enforce some organizational structure in the organization of the customer. You need to understand: this is your view of organizational structure, not the view of your users. Even if you think that your view reflects very typical really existing organization structure, and even if you are right in your understanding, your user may not like it. Do you know what happens if the users start giving you new requirements? It's the best to avoid it.

Here is how you can resolve this. Ultimately, all permission come from some functional units of your application: some actions can be enabled or disabled. Usually, groups of action are logically related: if one thing is enabled, another one also should be enabled, but something else may not. So, instead of "levels", in some configuration UI, provide a set of check boxed (check boxes, not the list, not radio boxes), something like:

  • Generate invoices
  • Generate security confirmations
  • View bills
  • View invoices
  • Confirm delivery
  • Create records (specify what kind of records)
  • Modify records…
  • Delete records…
  • …and so on


What to do next? Provide some action like "Create user role". Here we are coming to a key moment: the customer administrator of the your system defines roles, not you.. The role structure should include 1) name of the role; 2) the subset of the actions listed above (the action list is your product, you decide how to group them); this subset defines what actions are permitted for the given role.

On next step, the administrator (again, someone on the customer side!) defines which roles are assigned to which user. Also, don't make a mistake here: you should provide an opportunity to assign more than one role to each users. You see, the "levels" are too inflexible. One worker may occasionally need to do the job of another one, without changing the profile. Again, the administrator on the customer side decides, not you.

Also, allow the customers to do their little mistakes. It could be a problem if some silly administrator creates a role when "create invoice" is permitted, but "view invoice" is not. Stupid? Yes, but not fatal. Don't brain-wash your customers. Instead, allow them to make this mistake; it 1) will make your architecture more elegant and straightforward, 2) will not irritate the customer with error message which are hard to understand; 3) will let them understand the problem on like use case and easily fix it later. That is a better approach.

Now, let's look at the general, architectural data structure. If the work of each regular worker (not administrator) is those invoices and payments, the artifact of this work can be called data. What is the assignment between the roles and personal records/accounts? This is a part of data which describes how data should be processed, so it could be called meta-data, or, more exactly meta¹-data. What is the data describing each role? This is the data describing meta¹-data, meta-data over meta-data, so it can be called "meta-data squared", meta²-data. Finally, the whole part of architecture related to all those permission describes how meta²-data works, so it could be called meta³-data. What are the artifacts of meta³-data? The might not be described anywhere except documentation, so this level can be hard-coded. If all the roles and permissions are prescribed in some database, meta³-data will be reflected, among other things, in the database schema.

I hope you understand how the related data structures could be defined, from either object-oriented or relational point of view, or both, but if you have some concerns, I'll gladly try to answer your follow-up questions.

—SA
 
Share this answer
 
Posted
Updated 13-Aug-14 4:26am
v2
Comments
Nipuna S Perera 13-Aug-14 5:39am    
Sergey,
very good anser. You made me understand so many theories.
millions of thanks must offer you, for your valueble time.
I learnt so many things on your answer.
thanks a lot.
Sergey Alexandrovich Kryukov 13-Aug-14 10:27am    
You are very welcome.
Good luck, call again.
—SA
Free Application internal database:
Apache Derby[^]

I'd suggest do decide for a framework to use. the Derby Database is mysql compatible, so you can switch databases whenever needed.
Settings for the database should be held in a properties files.

For User management you will need a decent concept. I'm with Richard, sounds good to me. I'd add user groups.

Also - what kind if data should those users process? that could influence the architecture.

First things first: you will need a project plan!

Write it all down:

- Define things (who what where when)
- create user stories
- create data layout
- create UI layout
- define test criteria (to determine if you have reached your goal)
 
Share this answer
 
Posted
Comments
Nipuna S Perera 13-Aug-14 5:42am    
thanks TorstenH for your time & idea. another way to think.
The usual way of managing this, would be to use a database. One table would define the user types and another would define the actual users. Thus you could have multiple users of each type. The information from the user type would then contain a number of items that define the actions they are allowed to perform. Your programs would then need to read the type information when someone logs on and then decide which features to allow or disallow based on that information. For simplicity, and testing, you can create dummy type records and just read them direct into your code.
 
Share this answer
 
Posted
Comments
Sergey Alexandrovich Kryukov 13-Aug-14 4:46am    
I think you have been led by OP, who does the very typical mistake of defining the roles of the user of an application system. It means forcing the customer to follow some organizational structure, which is usually perceived as too intrusive. In a number of similar situations, I put forward more flexible approach which is more acceptable from this point. Described in Solution 2. This is a really serious problem which is often solved the way OP tries to envision, but it often creates awkward organizational problems.
—SA
Richard MacCutchan 13-Aug-14 4:52am    
I suggest you re-read the question.
Sergey Alexandrovich Kryukov 13-Aug-14 4:58am    
Hm. Please explain what am I missing. If you are going to say that what I suggest is not what OP wants, it won't count. The whole point is: what OP wants is not a good way to deal with roles and permissions. But if you mean that OP needs technical, not architectural suggestions, I understand that; I just say it's not yet time for the technicalties. :-) See the point?
—SA
Richard MacCutchan 13-Aug-14 5:03am    
Whatever ...
Nipuna S Perera 13-Aug-14 5:29am    
Hi Sergey,
since I'm very new to the programming & java, I don't know what the OP is. anyway. I strongly needs to do this. because. my country is Sri Lanka. all of We are not good in IT field. there are some experts. but persons we are dealing with in normal contry side have less knowledge in IT. people ask for miracles which a programmer haven't imagine. I was asked for a program like this, by a good friend of mine. I have to do this for free.
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
How to maintain different security levels
Difference between Message and Transport level security in WCF
Difference between transport and message security in WCF
Login on Different Levels
how to maintain metadata in table level and flat files in sqlserver
Define security levels in a Program
Web Security levels that can be implemented
DelegateSerializationHolder is not permitted to be deserialized at this security level
How to maintain ISO standard Naming convention or CMM level cnvention
Need WCF Transport level and message level security saple code

Advertise
Privacy
Cookies
Terms of Use
Last Updated 13 Aug 2014
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web01 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900