Click here to Skip to main content
15,123,819 members
Articles / Programming Languages / Visual Basic
Posted 20 Jun 2007


53 bookmarked

How to Manage Role Based User Rights

Rate me:
Please Sign up or sign in to vote.
2.56/5 (14 votes)
20 Jun 2007CPOL3 min read
Step by step guidelines to architect role based user management
Screenshot - DFD_UserRights.gif


The main issue behind the failure of any automated system is the presence of loopholes in the security system or the bugs in rights management.

  • Unauthenticated visitors getting access to the system
  • Unauthorized users getting rights to access the critical areas

Popular Approaches Used In Common Practice

  • Managing user rights in session object
  • Fetching permission from database for every Webform (database overhead)
  • Complexity of overall process is O(n2)
    • E.g. if there are 1000 users
    • There are 300 Web forms
    • There are 20 types of rights, i.e. Add, Edit, Delete,
      Reconciliation level 1, Reconciliation level n, View,
      Print, Cash removal, etc.
    • It means there will be 1000 X 300 records in database for user rights (300000 records).
    • It means there will be 1000 X 300 X 20 cells to be fetched for rights management (6000000 cells)

Proposed System

  • Storing Rights
    • Define bit value for every right
    • Define string containing bit wise rights information for particular Webform
    • Maintain data structure e.g. HASHTABLE to store bitwise rights string for corresponding Webform
    • Serialization:
      • Serialize the data structure
      • To store the data structure into database or storage media
    • Store the serialized data structure into the database for a particular user against userid
  • Fetching Rights
    • Based on the userid, fetch one record from the database (serialized data structure)
    • De-serialize the data structure
    • Store the data structure into a session object
  • Implementing Security System
    • Authentication Procedure
      • Get details from database based on username and password
      • If successful, opt for authorization procedure per Webform
      • If unsuccessful, let the user on login gateway
    • Authorization Procedure (Web form based)
      • Based on userid from session object and comparing to the corresponding bitwise string Webform wise, fetch the rights string
      • Make the corresponding buttons, links, contents enabled/disabled based on bit value for corresponding rights
  • Process Flow
    • Complexity of overall process is O(n)
      • There are 20 types of rights
      • It means we are having a string of type VARCHAR(20) only for storing access rights per Webform
      • There are 300 Webforms
      • It means we'll be having a tabulated data structure having 300 rows with 2 columns

      WebForm Name / ID Bitwise Rights String
      Default.aspx 11111111111111111111
      Login.aspx 11111111111111111111
      Userhome.aspx 11010101001000000000
    • Post serialization, we'll be having only a single value to be stored into a database for a complete data structure
    • If there are 1000 users
      • Only 1000 records will be there in the database
      • Only 1000 cells to be fetched from database for rights management
  • For more secure environment, Triple DES encryption can be used for storing and retrieving bitwise rights string

Points of Interest

  • Length of bitwise right's string should be kept according to the number of available rights
  • Encryption should be used as per the environment


  • More overhead for managing rights per user
  • Time taken for updating the number of forms i.e. adding new forms and maintaining rights

Possible Solution

  • Saving information in database for a particular roleid instead of userid
  • Managing roles per userid
  • 1:N relationship between userid and roleid
  • Having a procedure for fetching rights using logical OR operator for multiple roles assigned for any userid

Still to Come......

  • Full fledged solution with case study from novice level prototype model to advanced implementation of user rights


  • 21st June, 2007: Initial post


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Ashish Sehajpal
Web Developer
India India

Comments and Discussions

GeneralTerminology Pin
Tim McCurdy28-Jun-07 0:44
MemberTim McCurdy28-Jun-07 0:44 
GeneralFew tips .. Pin
LogicLabs26-Jun-07 0:48
MemberLogicLabs26-Jun-07 0:48 
GeneralLooks familiar .. Pin
LogicLabs26-Jun-07 0:31
MemberLogicLabs26-Jun-07 0:31 
QuestionHuh???? Pin
Paul A. Howes21-Jun-07 4:02
MemberPaul A. Howes21-Jun-07 4:02 
AnswerRe: Huh???? Pin
balazs_hideghety21-Jun-07 4:27
Memberbalazs_hideghety21-Jun-07 4:27 
Questionsource code Pin
mdissel21-Jun-07 3:38
Membermdissel21-Jun-07 3:38 
AnswerRe: source code Pin
Tulesh19-Mar-13 21:34
MemberTulesh19-Mar-13 21:34 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.