tags:

views:

122

answers:

2
+1  Q: 

How to implement database access control on row basis

Hi,

I'm currently developing a small business database application for which we plan to go towards multi-user access in the next time.

The database mainly contains projects (in a project table) with a couple of joined tables containing additional information.

One requirement of our customers regarding multi-user operations will be a fine-grained access control mainly based on project level (i.e. users only have access to some projects). I'm wondering how to implement this.

What makes the situation a bit more difficult is that database access mainly happens in a self-developed persistence layer which construct the needed SQL queries (resembling to nhibernate).

The only solution I could come up with is to implement stored procedures (or views for read access?) inside the database which implement the access checks. Since our persistence layer currently relies on full access to tables this would mean to implement a read view, one insert and one delete command for each table and to change the persistence layer in order to use these commands (instead of constructing INSERT/DELETE queries).

I'm wondering if there's any other solution not requiring to change our code...

+1  A: 

This sort of thing can be challenging to get right. Among other things, requirements like this are a reason to build on top of a packaged system - they will already have fixed bugs you haven't written yet.

If you have to do it on your own, then I recommend you concentrate on getting the security aspect right, and worry about changing your code later. You wouldn't want to compromise security because of a desire to not change your code.

You might be able to arrange for a single additional piece of information to be passed into the stored procedures. Depending on your SQL Server version this could be a piece of XML, or a table-valued parameter. It would include all of the information necessary to determine the access that the user should have. Maybe just a user id, but who knows?

You'd want to create views and/or table-valued functions that used this information to filter the set of rows returned based on access.

John Saunders  2009-07-13 22:53:17
+1  A: 

One simple (but crude) approach is to create a VIEW for each group of users using the WITH CHECK OPTION. You may also need INSTEAD OF triggers on those VIEWs to allow more complex logic for INSERT, UPDATE and DELETE operations.

onedaywhen  2009-07-13 23:56:51

related questions

What language do you use for Postgresql triggers and stored procedures?
Are Multiple DataContext classes ever appropriate?
Which tools do people use to create Data Dictionaries?
Any experiences with Protocol Buffers?
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
How do I index a database field
How does database indexing work?
How do I connect to a database and loop over a recordset in C#?
Editing database records by multiple users
Object Oriented vs Relational Databases
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
Embedded Database for .net that can run off a network
Connect PHP to an AS/400
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
.NET Migrations Engine
Is there a version control system for database structure changes?
SQLite and XSD
How do I version my MS SQL database in SVN?
XSD DataSets and ignoring foreign keys
Flat File Databases in PHP
Throw Error In MySQL Trigger
Binary Data in MySQL