Permission - Role Based data model

sqlguru · #1 (**permalink**) 06-29-09, 11:33

I'm trying to design a role based permission data model. I'm not sure how vb bulletin or phpbb does it (anyone know?).

I have a roles table - Guests, Members, Forum Moderators, Forum Administrators, System Administrators

Account Permissions: approve accounts, lock accounts, ban accounts, unlock accounts etc
System Permissions: change system settings
Forum Permissions (based on forum) - create topics, post polls etc
Blogs - create blog, post comment etc

Members can have multiple roles (highest permission overrides).

gvee · #2 (**permalink**) 06-29-09, 11:40

Moved to Database Concepts & Design

pootle flump · #3 (**permalink**) 06-29-09, 11:42

phpbb is free - you can download that (or any one of a lot of open source forum software) to see exactly how they do it.

Other than that, there doesn't appear to be a question in there....

Pat Phelan · #4 (**permalink**) 06-29-09, 12:33

As a general rule of thumb, permission systems apply to groups and users. Permissions are required to performa certain (often any) actions. Permissions come in two flavors, permit and deny. The presence of any deny ends the security check, one deny trumps any permit. Otherwise, you check to see if the user or any groiup that the user belongs to has a suitable permission to determine if they can perform the requested action.

Different systems implement the security model differently, but the general principles seem to be the same everywhere.

-PatP

sqlguru · #5 (**permalink**) 06-29-09, 14:09

phpbb and most other forum systems are based off the eav model for access role permissions.

I'm also going to use the eav model. I'm using all stored procedures and checking the permissions in each stored procedure.

For an example, in the stored procedure "NewMember", I check to make sure that the current member has permissions to create new members etc.

The permissions table has about 200 rows (forum_create, forum_edit, group_create etc), the groups table has about 100K rows (but 10 of them are system groups like administrators, members that has actual permissions defined).

This is the actual "HasPermission" query that fires everytime an "action" occurs inside a SP: (any optimizations?)

Code:

ALTER PROCEDURE [dbo].[HasPermission] 
	@mem_id INT,
	@perm_type VARCHAR(25),
	@perm_name VARCHAR(25)

AS
BEGIN
	-- SET NOCOUNT ON added to prevent extra result sets from
	-- interfering with SELECT statements.
	SET NOCOUNT ON;
	
	SELECT 1 FROM dbo.group_permissions a WHERE  
		EXISTS
		(
			SELECT group_id FROM dbo.group_members b WHERE b.mem_id = @mem_id AND
			b.group_id =a.group_id 
		) AND
		EXISTS
		(
			SELECT perm_id FROM dbo.permissions c WHERE c.perm_type = @perm_type AND c.perm_name = @perm_name
			AND c.perm_id = a.perm_id
		);

Also, what is the long term impact of using this model?

pootle flump · #6 (**permalink**) 06-30-09, 04:14

I've only glanced at phpbb, but it isn't EAV.

Based on your query, your design isn't EAV either.

Your query looks fine. The only thing is that it implies that you can have multiple permissions of the same name but different types - is that correct? Also, I would return a status code rather than a result set (more efficient).

Your sproc looks like it should handle all permission checking - so why

Quote:

Originally Posted by sqlguru

in the stored procedure "NewMember", I check to make sure that the current member has permissions to create new members etc.

? You don't need or even want one procedure for each permission.

pootle flump · #7 (**permalink**) 06-30-09, 04:24

Just to give you another option to consider - you may decide you don't like it and dismiss it - but permissions are also often stored as bitmaps.

sqlguru · #8 (**permalink**) 06-30-09, 07:24

Quote:

Originally Posted by pootle flump

Just to give you another option to consider - you may decide you don't like it and dismiss it - but permissions are also often stored as bitmaps.

Can you give an example of this (or a link)?

sqlguru · #9 (**permalink**) 06-30-09, 07:24

Well, take a social networking application as an example. The forums have permissions that depend on "each" forum AND they can inherit the parent forum permissions etc.
Then there are "member" based stuff like "change username", "leave comments", "enable blog"
Then there are "system" based stuff like "approve members", "change sys settings".

I have all of these permissions in a permissions table with a perm_type (forums, system, members etc) and perm_name (leave comment, enable blog, can post).

The thing is that inside the stored procedures (say NewMember), it checks to make sure that the currently logged in user has proper permissions to create a new member (it calls HasPermission 'members', 'can_create', @currentuserid). The application layer also calls HasPermission. Like, if there is a "create post" button, if the current user does not have permission to post....the application checks the permission and hides the button. The stored procedure for creating the post also checks the permission.

pootle flump · #10 (**permalink**) 06-30-09, 10:24

Ah - I understand. I thought you meant a sproc for each permission, not each action.

Quote:

Originally Posted by sqlguru

Can you give an example of this (or a link)?

The below essentially does this, just imagine it was a column in the Users table rather than a function
PERMISSIONS (Transact-SQL)
Where you stand on atomicity of column values may influence your thoughts on this.

gvee · #11 (**permalink**) 06-30-09, 10:44

Quote:

Originally Posted by sqlguru

Can you give an example of this (or a link)?

Quick SQL Server example

Code:

/*
2  = can edit posts
4  = can move posts
8  = can delete posts
16 = can ban users
*/

DECLARE @permissions int

DECLARE @edit_posts   bit
      , @move_posts   bit
      , @delete_posts bit
      , @ban_users    bit
      
SET @edit_posts   = 0
SET @move_posts   = 1
SET @delete_posts = 0
SET @ban_users    = 1

SET @permissions = Power(2 * @edit_posts  , 1)
                 + Power(2 * @move_posts  , 2)
                 + Power(2 * @delete_posts, 3)
                 + Power(2 * @ban_users   , 4)

PRINT @permissions 

IF 2  & @permissions = 2  PRINT 'Can Edit Posts' 
IF 4  & @permissions = 4  PRINT 'Can Move Posts' 
IF 8  & @permissions = 8  PRINT 'Can Delete Posts' 
IF 16 & @permissions = 16 PRINT 'Can Ban Users'

sqlguru · #12 (**permalink**) 07-01-09, 10:12

I don't think that will work.

How about this model:
Fine Grained Role Based Access Control (RBAC) system - SQL Recipes a FREE cookbook of SQL queries and examples

I haven't built an RBAC system before (usually use simpler ACL system) but does the above model have any performance implications?

pootle flump · #13 (**permalink**) 07-01-09, 10:18

Quote:

Originally Posted by sqlguru

I don't think that will work.

...because?

Quote:

Originally Posted by sqlguru

How about this model:
Fine Grained Role Based Access Control (RBAC) system - SQL Recipes a FREE cookbook of SQL queries and examples

I haven't built an RBAC system before (usually use simpler ACL system) but does the above model have any performance implications?

Not used. More importantly, does this meet requirements your current model does not? Because this is driven by a business need, not a technical one. It is your model just extended with more granular controls AFAICT.

Internet Services

Web Development

Digital Marketing

Consumer Tech