Click here to Skip to main content
15,901,426 members
Please Sign up or sign in to vote.
4.00/5 (1 vote)
In a windows forms payroll application (for a small scale client) I'm planing user permission handling as follows.

NOTE : System could be simultaneously used by few users (maximum 3) and the database is at the server side.

User Tables in the database.

USER (user_id[pk], name, access_level, status)

PERMISSION (permission_id[pk], permission_detail)

USER_PERMISSION (user_id[pk][fk], permission_id[pk][fk])

I would maintain user list in `USER` table and permission list in `PERMISSION` table (permission details are the accessible module names). Intermediate table `USER_PERMISSION` would map the users with the permissions. `UESR` and `PERMISSION` tables have `1:M` relationships with `USER_PERMISSION` table.

When an user login to the system, first the system will validate the user and if its valid then the home screen will be shown and the logged user's `ID` will be hold in a global variable accessible to every presenter. When the user try to access a specific module, the system will read that global variable to find the current user's `ID` and then it will look in the `USER_PERMISSION` table whether there is an entry relevant to that user id and the module name in which the user is trying to login. If there is and entry, then the user will be given the access to that particular module.

When user log off the variable holding the current user id will be cleared.

1. In this approach is it okay to hold the current user's `ID` in application memory? or should be written to a local file?

2. Modifications to the data in the tables should be tracked and in this purpose should I maintain a separate column on each table (ones should be monitored) to hold the `ID` of the user who is modifying the record?


3. Can we use `SQL-SERVER` user rolls/ logins in this purpose? and can this user action login stuff be handed over to `SQL-SERVER`?

When controlling `Read/Write` permissions in `Forms`, the respective `Presenter` handle the logic and set the properties in the `View` (properties like `IsModifyAllowed{get;set;}`, `IsDeleteAllowed{get;set;}` etc.) according to the current users permissions. So that the View could handle the rest of the things by `enabling / disabling` controllers in the `View`.

4. In this approach should the every Model have a matching property like in the view(in this case `IsModifyAllowed{get; set;}` etc. )?

5. What is the most widely used approach in this case?
Updated 7-Jun-14 8:10am

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900