Click here to Skip to main content
Click here to Skip to main content

How to Manage Role Based User Rights

, 20 Jun 2007
Rate this:
Please Sign up or sign in to vote.
Step by step guidelines to architect role based user management
Screenshot - DFD_UserRights.gif

Introduction

The main issue behind the failure of any automated system is the presence of loopholes in the security system or the bugs in rights management.

  • Unauthenticated visitors getting access to the system
  • Unauthorized users getting rights to access the critical areas

Popular Approaches Used In Common Practice

  • Managing user rights in session object
  • Fetching permission from database for every Webform (database overhead)
  • Complexity of overall process is O(n2)
    • E.g. if there are 1000 users
    • There are 300 Web forms
    • There are 20 types of rights, i.e. Add, Edit, Delete,
      Reconciliation level 1, Reconciliation level n, View,
      Print, Cash removal, etc.
    • It means there will be 1000 X 300 records in database for user rights (300000 records).
    • It means there will be 1000 X 300 X 20 cells to be fetched for rights management (6000000 cells)

Proposed System

  • Storing Rights
    • Define bit value for every right
    • Define string containing bit wise rights information for particular Webform
    • Maintain data structure e.g. HASHTABLE to store bitwise rights string for corresponding Webform
    • Serialization:
      • Serialize the data structure
      • To store the data structure into database or storage media
    • Store the serialized data structure into the database for a particular user against userid
  • Fetching Rights
    • Based on the userid, fetch one record from the database (serialized data structure)
    • De-serialize the data structure
    • Store the data structure into a session object
  • Implementing Security System
    • Authentication Procedure
      • Get details from database based on username and password
      • If successful, opt for authorization procedure per Webform
      • If unsuccessful, let the user on login gateway
    • Authorization Procedure (Web form based)
      • Based on userid from session object and comparing to the corresponding bitwise string Webform wise, fetch the rights string
      • Make the corresponding buttons, links, contents enabled/disabled based on bit value for corresponding rights
  • Process Flow
    • Complexity of overall process is O(n)
      • There are 20 types of rights
      • It means we are having a string of type VARCHAR(20) only for storing access rights per Webform
      • There are 300 Webforms
      • It means we'll be having a tabulated data structure having 300 rows with 2 columns

      WebForm Name / ID Bitwise Rights String
      Default.aspx 11111111111111111111
      Login.aspx 11111111111111111111
      Userhome.aspx 11010101001000000000
    • Post serialization, we'll be having only a single value to be stored into a database for a complete data structure
    • If there are 1000 users
      • Only 1000 records will be there in the database
      • Only 1000 cells to be fetched from database for rights management
  • For more secure environment, Triple DES encryption can be used for storing and retrieving bitwise rights string

Points of Interest

  • Length of bitwise right's string should be kept according to the number of available rights
  • Encryption should be used as per the environment

Loopholes

  • More overhead for managing rights per user
  • Time taken for updating the number of forms i.e. adding new forms and maintaining rights

Possible Solution

  • Saving information in database for a particular roleid instead of userid
  • Managing roles per userid
  • 1:N relationship between userid and roleid
  • Having a procedure for fetching rights using logical OR operator for multiple roles assigned for any userid

Still to Come......

  • Full fledged solution with case study from novice level prototype model to advanced implementation of user rights

History

  • 21st June, 2007: Initial post

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Ashish Sehajpal
Web Developer http://www.linkedin.com/in/ashishsehajpal
India India
http://www.linkedin.com/in/ashishsehajpal

Comments and Discussions

 
GeneralTerminology PinmemberTim McCurdy27-Jun-07 23:44 
GeneralFew tips .. PinmemberDaveGriffiths200025-Jun-07 23:48 
GeneralLooks familiar .. PinmemberDaveGriffiths200025-Jun-07 23:31 
QuestionHuh???? PinmemberPaul A. Howes21-Jun-07 3:02 
AnswerRe: Huh???? Pinmemberbalazs_hideghety21-Jun-07 3:27 
Questionsource code Pinmembermdissel21-Jun-07 2:38 
AnswerRe: source code PinmemberTulesh19-Mar-13 20:34 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web02 | 2.8.140821.2 | Last Updated 21 Jun 2007
Article Copyright 2007 by Ashish Sehajpal
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid