[dgersting]

Okay, this is being moved from the "Request a PHP Tutorial" forum;
http://www.dreaminco...h...st&p=573845

Here's my situation;
I'm the lead web designer for a web site that serves as a communications hub for a non-profit spanning 3 US States (WV, OH, and PA). We are currently planning for a major re-organization where our user base will be increasing from about 400 to around 1000. Also, our admin toolbox has approx. 100 pages each with View / Update / Delete Permissions (plus a few variations which add levels to view and update).

Our current system;
uses a combination of BaseGroups and SubGroups. BaseGroups being high-level roles such as 'Admin', 'Key', 'Appointed', 'User'. And SubGroups granting low-level admin access to specific areas such as 'News', 'Events', etc. We have been plagued with short comings with this system as it's not very fine-grained. This, combined with the much larger user base, has lead us to looking for a hierarchical permissions system where permissions can be inherited down from higher levels.


=================================================================

Valek, on 16 Mar, 2009 - 01:11 PM, said:

Okay, another solution would be taking the settings for all of the permissions and concatenating them, making a comma-separated string of numbers for their settings. That gives you 1000 x 1, but controlling the permissions takes a bit more backend as a result.

That would make it a 1000x1 matrix physical. Logically, it would still be 1000x300. Also, database normalization is very key to us (which CSVs break)

[roudard]

Hey,

a possible solution (that works for us with 3000+ users and about 50 web apps) is to define a set of permission for each tool eg :
1- view news
2- add/edit news
3- delete news

and then store this as an integer ... a little like unix permission system work ...
so somebody that can only view would have a 100 set which would be 4 converted back to decimal.
Then when running you can just convert the decimal you stored back to binary and evaluate each bit corresponding to the permission set.
the good thing about this is that you can define a pretty detailed set of preferences in a minimal number of bit

if you run out of bits for your set of preferences you can divide your app in several systems and give each a set of preferences

not sure if that's clear...
i can try and explain in more details, but i can't provide any code

hope this helps

[theEnigma]

Hm... I'm also interesting in a similar system.

This post has been edited by theEnigma: 17 March 2009 - 12:55 PM

[dgersting]

roudard, on 17 Mar, 2009 - 01:48 AM, said:

and then store this as an integer ... a little like unix permission system work ...
so somebody that can only view would have a 100 set which would be 4 converted back to decimal.

Hm... One of the other groups of our organization uses something similar (a binary system).

I have a couple questions if you do not mind;

• How do you store your auth info? (I'm assuming a database)
  
• How does your code check for authorization. For example; in a page the user needs add/edit news how does it accomplish this?
  
• How 'easy' is it to manage the auth? (I just seems to me as though it could quickly become overwhelming)

[roudard]

dgersting, on 17 Mar, 2009 - 11:56 AM, said:

roudard, on 17 Mar, 2009 - 01:48 AM, said:

and then store this as an integer ... a little like unix permission system work ...
so somebody that can only view would have a 100 set which would be 4 converted back to decimal.

Hm... One of the other groups of our organization uses something similar (a binary system).

I have a couple questions if you do not mind;

• How do you store your auth info? (I'm assuming a database)
  
• How does your code check for authorization. For example; in a page the user needs add/edit news how does it accomplish this?
  
• How 'easy' is it to manage the auth? (I just seems to me as though it could quickly become overwhelming)

you'd need a regular set of mysql dbs...
you'd have one db that has all employees/users info, and an auth system linked to it so that the web app knows which user is logged in.

then a permission db with a couple of tables :
- systems : desc and id,
- permissions for users: userid, systemid, permission value (the integer i talked about earlier)
- the key table would be a third table that holds for each sytem, which are the permissions and in what order are they expected.

taking the previous example :

systems : id =1 , desc = "News"
permissions for user : userid = 1, systemid =1, permission = 4
permissions definition : 3 records :
systemid = 1, perm= 0, desc = "View news"
systemid = 1, perm = 1, desc = "add/edit news"
systemid = 1, perm = 2, desc = "delete news"

Now assuming your app(with systemid=1) knows that user with userid=1 is logged in. When displaying a page, just retrieve the permission = 4 from the db. then a simple decimal to binary conversion converts it to 100, and you can compare it to the permission set form the thrid table to find out that the first bit from left to right means "View News", it's set to one so user does have access to it...

Managing it is fun .. you need to build a ui to enter the permissions for each user and write in the second table.
depending on how advanced is your user db, you can set groups and give permissions to those groups and work like this rather than user .. (if user belongs to this group then he/she has the same set of permissions)
and it makes it easier ... eg everyone in finance has the same set of permissions, everyone in IT a different set and so on

hope this helps