authorization - Permissions design pattern that allows date-based access -

-

i looking @ ways implement authorization (not authentication) scheme in app.

there 2 roles in system: , b, there may more. user's have 1 role.

basically, have set 2 database tables. 1 role-based permissions on model, , other specific user-based permissions. thinking way, users can have set of default permissions based on role-based permissions, can have specific permissions granted/revoked.

so example:

table: user_permissions columns:     user_id: [int]     action: [string]     allowed: [boolean]     model_id: [int]     model_type: [string]  table: role_permissions columns:     role: [int]     action: [string]     model_type: [string]

in user_permissions table, allowed field specifies whether action allowed or not, permissions can revoked if value 0.

in table, have definitions each action:

table: model_actions columns:     action: [string]     bitvalue: [int]     model_type: [string]

i when check permissions on model, example ['create', 'delete'], can use bitwise , operation compare user's permissions permissions checking. example, model x have following model_actions:

action: 'create' bitvalue: 4 model_type: x  action: 'delete' bitvalue: 2 model_type: x  action: 'view' bitvalue: 1 model_type: x

if user/role permissions specify create, view, , delete actions model x 1, 0, , 1, respectively, represented 110 based on model_actions table. when check if can create model x, use fact create 4 construct bitarray 100. if bitwise , operation of 110 , 100 100, permission valid.

anyway, think have granular permissions design pattern figured out. if not please feel free educate me on subject.

the actual focus of question concerns following:

some of models have actions time-dependent. example, can delete model y no more 24 hours after created_at date.

what thinking automatically create cron job when model created update permissions on date occurs. in case of model y, want insert record user_permissions revokes 'delete' action of model.

my question is: advisable?

edit

what if include row in sql tables, specifies date permission 'flip' (flipdate)? if flipdate defined, , if current date after flip date, permission reversed. seems easier manage series of cron jobs, when models may updated.

your models seems fine, but... reinventing wheel bit and, realized yourself, model not flexible enough cater additional parameters e.g. time.

in history of authorization, there traditional, well-accepted model, called role-based access control (rbac). model works extremely when have defined set of roles , hierarchy between these roles.

however, when hierarchy isn't clear or when there relationships (e.g. doctor-patient relationship) or when there dynamic attributes (such time, location, ip...), rbac doesn't work well. new model emerged few years called attribute-based access control (abac). in way, it's evolution or generalization of rbac. abac, can define authorization logic in terms of attributes. attributes set of key-value pairs describe user, action, resource, , context. attributes, can describe number of authorization situations such as:

  • a doctor can view patient's medical record between 9am , 5pm if , if patient assigned doctor
  • a nurse can edit patient's medical record if , if patient belongs same clinic nurse.

abac enables 1 call pbac or policy-based access control since authorization logic moves away proprietary code , database schemes set of centrally managed policies. de-facto standard these policies xacml, extensible access control markup language.

in nutshell, xacml lets looking in technology-neutral way, in decoupled, externalized way. means, define authorization once , enforce everywhere matters.

i recommend check out these great resources on topic:


Comments

Post a Comment

Popular posts from this blog

database - VFP Grid + SQL server 2008 - grid not showing correctly -

-
i having problem, have grid called "gridbasica" , this: thisform.gridbase.recordsource = "sgviemp" sgviemp cursor made executing select sqlserver command sqlexec. when want modify registry, go form , the update there. so, when come form grid, grid isnt grid anymore, big white rectangle. reading around said: delete recordsource , asingt again. thisform.gridbase.recordsource = "" *--i sqlexe here thisform.gridbase.recordsource = "sgviemp" i , works, but, when click button modify again cursos updated modify form doesnt load fields did first time. could me out that? thanks in advance. --------------- edit ------------------ i have been doing recommended: lnselect = select(0) n = sqlexec(thisform.conexion,"select emp_ccodigo codigo, emp_cnombre 'nombre o razon social', emp_cnumrif 'r.i.f' sgviempr","sgviemp1") set echo on suspend select sgviemp zap in sgviemp *-- browse *--zaps correct
Read more

jquery - Set jPicker field to empty value -

-
im using jpicker color selector in form. have clear value set window/icon 'no color selected' state. i've tried following: $(':input[name="color"]').val(''); //access value directly. (does not affect jpicker) 2: $.jpicker.list[0].color.active.val('hex', '', this); //set color black , input value 000000, instead of empty string 3: $.jpicker.list[0].color.active.val(null, '', this); //does nothing none of 3 methods seems behave properly. in advance. this works me :) $.jpicker.list[0].color.active.val('v', null); here example: http://jsfiddle.net/3up7n/
Read more

.htaccess - htaccess convert request to clean url and add slash at the end of the url -

-
ok , searched more 4 days , more 20 posts here in stach or in websites without kind of success first here htaccess file rewriteengine on rewriterule ^([a-za-z0-9_]+)/?$ index.php?page=$1 [nc] rewriterule ^([a-za-z0-9_]+)\/([a-za-z0-9_]+)\/?$ index.php?page=$1&action=$2 [nc] i tried many codes 1 worked me can call request , works me www.example.com/pagename => www.example.com/index.php?page=pagename here questions , please provide me information "in detail" understand code well 1- how convert request automatically www.example.com/index.php?page=pagename www.example.com/pagename 2- if tried add slash @ end shows me page without images or styling mean www.example.com/pagename => works www.example.com/pagename/ => doesn't work that's :) for first part need 301 rule this: rewritecond %{the_request} /index\.php\?page=([^\s&]+) [nc] rewriterule ^ /%1? [r=301,l] for second part use absolute path in css, js, images files r
Read more