Menu
I want to build a Hierarchical Role Base access control.
This is my current schema:
Currently I have two options to build this system:
Attach all required permission to a role (not-hierarchical)
Attach only special "level" permissions and inherit the ones that have lower level
Is there a better approach or is just depends on my project needs?
I am inclined to choose the Hierarchical one just because of simplicity. If I do so, is there any better way on selecting Permission Levels, maybe using binary numbers?
Option 2 would have some Levels for Roles and I would have some level numbers for permissions. Therefore, when I create a Full Administrator the role will inherit all the other permissions since that would be Level 4 while the other permissions would have a number smaller than Level 4 (or 4000).
Is this overkill?
905
Hierarchical access control policies, in which users and objects are associated with nodes in a hierarchy, can be enforced using cryptographic mechanisms. Protected data is encrypted and authorized users are given the appropriate keys.
Technical – assigned to users that perform technical tasks. Administrative – access for users that perform administrative tasks.
An organization assigns a role-based access control role to every employee; the role determines which permissions the system grants to the user. For example, you can designate whether a user is an administrator, a specialist, or an end-user, and limit access to specific resources or tasks.
I recommend going with a variation of "Approach #1" - non-hierarchical Roles.
I've worked with similar systems with great success. While at first this approach may appear 'less structured' it is relatively simple and is very flexible; when allowing multiple Roles-per-User and defining rules for aggregating permissions.
Like an 'OO hierarchy', using a role hierarchy leads to a strict substitution-relationship. This makes it harder to define roles based on changing requirements.
For example, maybe there is a future need for an 'Administrator' account which cannot create their own posts. The hierarchy (and the substitution-relationship it has) prevents this without changing the tree structure itself because a "Full Administrator" is-a "Paid User".
Queries against a true hierarchy are more complex in SQL; especially in implementations that do not support recursive queries, like MySQL. Switching to a hierarchy using a nested-set or materialized approach forces an additional structure over just a parent-child relation.
You Just Don't Need It; the more complex software is the harder it is to write and maintain. While hierarchies are very good in certain cases - such as with a Bill of Material or Genealogy or Directory Structure - there is simply not a 'need' in most Role/Group-Permission models.
Roles, without a 'parent type' dependence, function more like 'OO interfaces' - well, maybe Trait composition would be more apt if analogies are to be stretched. The implementation (read: granted Permissions) of each Role can change independent of any other Role making it extremely flexible. And like interfaces, more than one Role can be assigned to a given User/entity.
Queries against a flat User <M-M> Role <M-M> Permission model are much simpler in SQL (with or without recursive support, or additional structure) because there is simply no Role hierarchy to traverse.
Windows ACL Groups (let's ignore nesting groups) work much like Roles; a User belongs to one or more Groups which grants (or denies, but that's a different situation) Permissions.
The variation I recommend, and have hinted to above, is to allow aggregation of permissions across Roles. A simple aggregation model is this:
A User has the union of Permissions from all the Roles they are assigned.
(The effective permissions would generally be built during authorization, but without a hierarchy it is also relatively simple to query in SQL.)
Thus the Permissions are bound per Role with little or no overlap, as show in "Approach #2", with this difference: There Is No Hierarchy.
For example, to allow a special administrator who can search for posts (and delete 'bad' posts), one would simply assign the "Basic User" and the "Limited Administrator" Roles1.
Using a non-hierarchical multi-Role capable system allows this cleanly, shrugging off the burden of a hierarchy, while still providing flexible/composable/configurable Role archetypes.
1 This is not a particular good example. In reality the Roles should have different names (eg. "Account Support" or "Content Moderator") and cover different Permission sets; these will likely change over time based on trial and error and flavor-of-the-month business rules.
While I've spoken against a hierarchy for such, in more complex systems there may be a need to allow relationships between Roles, primarily for grouping of such. This relationship should generally be independent of the effective Permissions applied, existing for other managerial purposes.
138
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
