Click here to Skip to main content
15,868,340 members
Articles / Programming Languages / Visual Basic
Article

How to Manage Role Based User Rights

Rate me:
Please Sign up or sign in to vote.
2.56/5 (14 votes)
20 Jun 2007CPOL3 min read 64.7K   53   7
Step by step guidelines to architect role based user management
Screenshot - DFD_UserRights.gif

Introduction

The main issue behind the failure of any automated system is the presence of loopholes in the security system or the bugs in rights management.

  • Unauthenticated visitors getting access to the system
  • Unauthorized users getting rights to access the critical areas

Popular Approaches Used In Common Practice

  • Managing user rights in session object
  • Fetching permission from database for every Webform (database overhead)
  • Complexity of overall process is O(n2)
    • E.g. if there are 1000 users
    • There are 300 Web forms
    • There are 20 types of rights, i.e. Add, Edit, Delete,
      Reconciliation level 1, Reconciliation level n, View,
      Print, Cash removal, etc.
    • It means there will be 1000 X 300 records in database for user rights (300000 records).
    • It means there will be 1000 X 300 X 20 cells to be fetched for rights management (6000000 cells)

Proposed System

  • Storing Rights
    • Define bit value for every right
    • Define string containing bit wise rights information for particular Webform
    • Maintain data structure e.g. HASHTABLE to store bitwise rights string for corresponding Webform
    • Serialization:
      • Serialize the data structure
      • To store the data structure into database or storage media
    • Store the serialized data structure into the database for a particular user against userid
  • Fetching Rights
    • Based on the userid, fetch one record from the database (serialized data structure)
    • De-serialize the data structure
    • Store the data structure into a session object
  • Implementing Security System
    • Authentication Procedure
      • Get details from database based on username and password
      • If successful, opt for authorization procedure per Webform
      • If unsuccessful, let the user on login gateway
    • Authorization Procedure (Web form based)
      • Based on userid from session object and comparing to the corresponding bitwise string Webform wise, fetch the rights string
      • Make the corresponding buttons, links, contents enabled/disabled based on bit value for corresponding rights
  • Process Flow
    • Complexity of overall process is O(n)
      • There are 20 types of rights
      • It means we are having a string of type VARCHAR(20) only for storing access rights per Webform
      • There are 300 Webforms
      • It means we'll be having a tabulated data structure having 300 rows with 2 columns

      WebForm Name / ID Bitwise Rights String
      Default.aspx 11111111111111111111
      Login.aspx 11111111111111111111
      Userhome.aspx 11010101001000000000
    • Post serialization, we'll be having only a single value to be stored into a database for a complete data structure
    • If there are 1000 users
      • Only 1000 records will be there in the database
      • Only 1000 cells to be fetched from database for rights management
  • For more secure environment, Triple DES encryption can be used for storing and retrieving bitwise rights string

Points of Interest

  • Length of bitwise right's string should be kept according to the number of available rights
  • Encryption should be used as per the environment

Loopholes

  • More overhead for managing rights per user
  • Time taken for updating the number of forms i.e. adding new forms and maintaining rights

Possible Solution

  • Saving information in database for a particular roleid instead of userid
  • Managing roles per userid
  • 1:N relationship between userid and roleid
  • Having a procedure for fetching rights using logical OR operator for multiple roles assigned for any userid

Still to Come......

  • Full fledged solution with case study from novice level prototype model to advanced implementation of user rights

History

  • 21st June, 2007: Initial post

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
Web Developer http://www.linkedin.com/in/ashishsehajpal
India India
http://www.linkedin.com/in/ashishsehajpal

Comments and Discussions

 
GeneralTerminology Pin
Tim McCurdy27-Jun-07 23:44
Tim McCurdy27-Jun-07 23:44 
GeneralFew tips .. Pin
LogicLabs25-Jun-07 23:48
LogicLabs25-Jun-07 23:48 
GeneralLooks familiar .. Pin
LogicLabs25-Jun-07 23:31
LogicLabs25-Jun-07 23:31 
QuestionHuh???? Pin
Paul A. Howes21-Jun-07 3:02
Paul A. Howes21-Jun-07 3:02 
AnswerRe: Huh???? Pin
balazs_hideghety21-Jun-07 3:27
balazs_hideghety21-Jun-07 3:27 
Questionsource code Pin
mdissel21-Jun-07 2:38
mdissel21-Jun-07 2:38 
AnswerRe: source code Pin
Tulesh19-Mar-13 20:34
Tulesh19-Mar-13 20:34 
plz send me code

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.