平台,框架&库
现在阅读
How to Manage Role Based User Rights
0

How to Manage Role Based User Rights

由 ultracpy2018年1月27日

Screenshot - DFD_UserRights.gif

Introduction

The main issue behind the failure of any automated system is the presence of loopholes in the security system or the bugs in rights management.

  • Unauthenticated visitors getting access to the system
  • Unauthorized users getting rights to access the critical areas

Popular Approaches Used In Common Practice

  • Managing user rights in session object
  • Fetching permission from database for every Webform (database overhead)
  • Complexity of overall process is O(n2)
    • E.g. if there are 1000 users
    • There are 300 Web forms
    • There are 20 types of rights, i.e. Add, Edit, Delete,
      Reconciliation level 1, Reconciliation level n, View,
      Print, Cash removal, etc.
    • It means there will be 1000 X 300 records in database for user rights (300000 records).
    • It means there will be 1000 X 300 X 20 cells to be fetched for rights management (6000000 cells)

Proposed System

  • Storing Rights
    • Define bit value for every right
    • Define string containing bit wise rights information for particular Webform
    • Maintain data structure e.g. HASHTABLE to store bitwise rights string for corresponding Webform
    • Serialization:
      • Serialize the data structure
      • To store the data structure into database or storage media
    • Store the serialized data structure into the database for a particular user against userid
  • Fetching Rights
    • Based on the userid, fetch one record from the database (serialized data structure)
    • De-serialize the data structure
    • Store the data structure into a session object
  • Implementing Security System
    • Authentication Procedure
      • Get details from database based on username and password
      • If successful, opt for authorization procedure per Webform
      • If unsuccessful, let the user on login gateway
    • Authorization Procedure (Web form based)
      • Based on userid from session object and comparing to the corresponding bitwise string Webform wise, fetch the rights string
      • Make the corresponding buttons, links, contents enabled/disabled based on bit value for corresponding rights
  • Process Flow
    • Complexity of overall process is O(n)
      • There are 20 types of rights
      • It means we are having a string of type VARCHAR(20) only for storing access rights per Webform
      • There are 300 Webforms
      • It means we’ll be having a tabulated data structure having 300 rows with 2 columns

      WebForm Name / ID Bitwise Rights String
      Default.aspx 11111111111111111111
      Login.aspx 11111111111111111111
      Userhome.aspx 11010101001000000000
    • Post serialization, we’ll be having only a single value to be stored into a database for a complete data structure
    • If there are 1000 users
      • Only 1000 records will be there in the database
      • Only 1000 cells to be fetched from database for rights management
  • For more secure environment, Triple DES encryption can be used for storing and retrieving bitwise rights string

Points of Interest

  • Length of bitwise right’s string should be kept according to the number of available rights
  • Encryption should be used as per the environment

Loopholes

  • More overhead for managing rights per user
  • Time taken for updating the number of forms i.e. adding new forms and maintaining rights

Possible Solution

  • Saving information in database for a particular roleid instead of userid
  • Managing roles per userid
  • 1:N relationship between userid and roleid
  • Having a procedure for fetching rights using logical OR operator for multiple roles assigned for any userid

Still to Come……

  • Full fledged solution with case study from novice level prototype model to advanced implementation of user rights

History

  • 21st June, 2007: Initial post

出处:https://www.codeproject.com/Articles/19281/How-to-Manage-Role-Based-User-Rights

关于作者
ultracpy
评论

你必须 登录 提交评论