tags:

views:

186

answers:

1
Q: 

The right way to manage user privileges (user hierarchy)

I want to allow users of my application to add sub-users and set privileges for what each sub-user is allowed to view or do.

My ideas is to have a separate PRIVILEGES table, like this:

+-----------------+--------+
|privilege        |  value |
+-----------------+--------+
|create sub users |    1   |
|edit own profile |    2   |
|add new site     |    3   |
|delete site      |    4   |
+-----------------+--------+

Then when the main user selects privileges update the sub users privilege column with the value, for example:

+--------------+-----------+
|user_id       | privilege |
+--------------+-----------+
|user_1        |     4     | 
|user_2        |     2     |
|user_3        |     1     |
|user_4        |     2     |
+--------------+-----------+

But the values do not give unique amounts. For example:

privileges
1 -> create sub users
+
2 -> edit own profile
= privilege 3 (create sub users, edit own profile)

but also there is another privilege for value 3 (add new site) so this will not work.

So my question is: How do I make any possible privilege combination unique?

Is there a smarter way to manage privileges?

+5  A: 

If you want to keep this as one column, use base 2 placeholders.

1 - represents priv 1
2 - represents priv 2
4 - represents priv 3
8 - represents priv 4
16 - represents priv 5
32 - represents priv 6

Then you can take a modulus of each to determine if they have that priv.

So..

3 = priv 1 and priv 2
9 = priv 1 and priv 4

63 = all privs.

and so on.

It may be simpler to just have your priv table allow multiple entries per user.

EDIT: If you still wish to use the single column to store priv, add another column that stores who gave the permission.

But... I'd still suggest storing each priv separately. Create a table with a combined primary key on priv, user_id, and grantor. The combined primary key will ensure that each priv is unique so you don't need to check before inserting. To create a combined primary key:

ALTER TABLE priv ADD PRIMARY KEY (user_id,grantor,priv_id);

Then to add or reset a priv, REPLACE INTO priv (user_id,grantor,priv_id) VALUES (?,?,?)

To delete a priv for a user, DELETE FROM priv WHERE user_id = ? AND priv_id = ?

To delete all priv for a user, DELETE FROM priv WHERE user_id = ?

To delete all sub users for a grantor... DELETE FROM priv WHERE grantor = ?

Getting all privs for a user within a grantor: SELECT * FROM priv WHERE user_id = ? AND grantor = ?

Daren Schwenke  2009-10-24 22:40:00
Excellent. That was easier that I expected. Big thanks!
Chad  2009-10-24 22:44:28
One other question: Say super_user 1 and super_user 2 both add sub_user 1. How would you map this in the database?
Chad  2009-10-24 22:46:50
by the way. There is only one users table, where both sub_users and super_users are stored.
Chad  2009-10-24 22:49:48
Yes, if I understand correctly, this will allows, sub_user 1 to be a member of as many accounts as needed correct?
Chad  2009-10-24 23:06:59
yes. I guess grantor would be account_id if that's the terminology you are using.
Daren Schwenke  2009-10-24 23:13:09
Thanks again, Daren, you have given me many idea/options. Now I can get to work :)
Chad  2009-10-24 23:17:08
Is there another way to achieve this without exponentiation?
Chad  2009-10-29 10:03:47
Building it up is addition. Tearing it down is modulus. No exponentiation the way I did it. I'd still recommend using a separate table for this.
Daren Schwenke  2009-10-29 13:10:03

related questions

What language do you use for Postgresql triggers and stored procedures?
Are Multiple DataContext classes ever appropriate?
Which tools do people use to create Data Dictionaries?
Any experiences with Protocol Buffers?
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
How do I index a database field
How does database indexing work?
How do I connect to a database and loop over a recordset in C#?
Editing database records by multiple users
Object Oriented vs Relational Databases
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
Embedded Database for .net that can run off a network
Connect PHP to an AS/400
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
.NET Migrations Engine
Is there a version control system for database structure changes?
SQLite and XSD
How do I version my MS SQL database in SVN?
XSD DataSets and ignoring foreign keys
Flat File Databases in PHP
Throw Error In MySQL Trigger
Binary Data in MySQL