thoughts on page protection scheme

mystrymaster

I am in the process of creating a page protection scheme where it would not be as cut and dry as simply defining roles for each user as some users would be of one role and need to see parts of another roles functions.

Still with me?

Alright so my though is a table

ID
URL

where it would store the url's of all the protected pages

A clearence table for each user where it would store there access levels in a comma delimited field.

USERID
Clearnece

then I would as admin of the system set people up with rights to be able to protect or unprotect a page via a link on each page that would only display if the have rights to protect or unprotect a page. This is for an intranet so it would never get overwhelming with new user signups.

What are your thoughts on this?

Has anyone done something simliar in what I am trying to accomplish in another way?

any feedback would be appreciated.

drawmack

I think you'd be better served with a group level scheme.

mystrymaster

explain how you mean group level scheme a little more please

The problem with a group level protection as I understand it is

I am a member of group A

You are a member of Group B

I as a member of group A am allowed to see C,D,E and F

You as a member of group B are allowed to see G,H,I and J

now how do I grant you access to view C without allowing you to see D,E,F

now in a prefect world we could say you have access to C so you should be able to see D, E and F as well but that is not the case I need a very very flexible protection scheme.

It is for an intranet application and Supervisors delegate certain portions of there duties to the peer mentors however each supervisor and there adjoining Peer mentor do this in there own way and not every Peer mentor has access to the same things.

I can not change the way they do buisiness so I am trying to provide them with a very flexible back end that can handle this.

drawmack

With a group level scheme you would give all the people in group a the ability to view document c, now when someone new comes along you just add them to group a and they can view all of group a's stuff.

mystrymaster

and whatabout someone who is actually a member of group B how would I give them access to just C without the rest of Group A's persmissions?

drawmack

you can create as many groups as you need.

In a group based protection scheme each person should be a member of at least three groups

1) General - everyone belongs to this group
2) Themselves - a group containing only themselves, this way if they need some strange rights you can accomodate it
3) Their department - self explainatory

If you're confused about how group access works think of it like use windows built in protection to protect different sections of the site.

mystrymaster

alright that makes a little more sense however that seems like alot more trouble then what I am thinking of. I'll have to chew on it for a little while.

drawmack

it will be a lot harder to put into place but in the long run you'll be glad you have it.

Think about it accounting has access to 300 documents.

Your way you have to manually give a new member of accouting access to those 300 documents.

My way you just make them a member of the accounting group.

mystrymaster

alright so if I am following correctly each page would be assigned a group ID or several Group ID's that correspond with each individual group. But how does this account for the individual persons group as per your prior example?

If I want a new person to have access to a page outside of there normal group scope I hvae to indivually add them to that page's allowed List?

groovything

it sounds like a lot of administration on your part, but you could create the table like

url | link_name| menu_order | allowed_users

then add each user id of the clients who are granted access to the page to the allowed user field like ",1,2,3,4,".

then generate the menu dynamically like:

 <?	$result = mysql_query ("select * from pages where allowed_users like '%,$session_logged_in_ID,%' order by menu_order asc"); 


while ($row = mysql_fetch_array($result)) 
{
$STRurl = $row["url"];
$STRlink_name = $row["link_name"]; 
?>

<tr><td><a href="<? echo $STRurl ?>">$STRlink_name</a></td></tr>
<? } ?>

this is bare bones but you get the idea.

dont know if it's useful, but it's an idea.

drawmack

you would have database tables like this

users
  id
  name
  <etc>

groups
  id
  name
  <etc>

pages
  id
  name
  <etc>

users_to_groups
  id
  user_id
  group_id

pages_to_groups
  id
  pg_id
  group_id

Now when a page gets added, the groups that can access that page are associated with that page. Users are associated with groups and so users can access pages which any of their groups can access. It all becomes a couple simple queries. The owner of the page should be the one who defines access rights to that page. When someone creates a page they can make it be owned by any of their groups for example.

Joe Smith belongs to groups general, accounting and jsmith
Bill Smith belongs to groups general, billing and bsmith
Alice Smith belongs to groups general, accounting, billing and asmith

Joe Smith creates a document (passed_due_accounts.txt) and makes it be owned by accounting but viewable by billing and jsmith. Now Alice or Joe can modify the document while Bill can only look at it.

Alice creates a document (employee_salaries.txt) and makes it owned by asmith and viable by accounting. So only she can modify it while Joe can look at it and Bill is oblivious to its existence.

Bill makes a document (why_alice_sucks.txt) and makes it owned by bsmith and vieable by jsmith. So only he can modify it but Joe can view it while Alice is oblivious to its existence.

Now let's say you hire John Doe and he's in billing. You just make hime a member of billing and he can view all the documents viewable by billing and edit all of the documents owned by billing.

Is this making sense.