tags:

views:

31

answers:

2
Q: 

When to use a single-group or multi-group permission system?

As far as I'm aware there are two main styles of permissions systems out there. I would like to know if the multi-group option is really worth the extra trouble or system load (more queries). It seems that with proper application design there is no need for users to have more than one class - though my applications have never made it big enough for me to know.

Sam is a member - he cannot access admin content. Joe is an admin - he can change author posts. One user is in one group, and groups cascade permissions. Think wordpress.

  • Multi-group user system (users with groups/roles)

Sam is a member and moderator - but he still cannot access admin content. Each user can have many groups which all combine to show what he can/cannot do.

Why not just have Sam as a moderator and all moderators inherit member privileges? Also, which one works better with ACLs?

A: 

One application I worked on recently involved several "work areas", each of which a user can be provisioned to access. These work areas, e.g., A, B, and C, are not hierarchically related, so a user could have access to A and C, but not B, or any other combination. In a case like this, inheritance doesn't help and a user needs to be assignable to multiple roles.

ElectricDialect  2010-01-22 20:16:53
Thats a good example. But couldn't the application have been designed to use a cascading approach instead?
Xeoncross  2010-01-22 20:22:16
No, because the work areas are totally independent. Being provisioned for one work area does not imply any access to other work areas, though it's possible for users to have access to several. Imagine an application where each project a company works on requires secure access, and some employees work on multiple projects.
ElectricDialect  2010-01-22 20:41:32
+1  A: 

It's possible that two groups might inherit permission from one lower group, but those two groups cannot share permissions.

Say, for example, you have users that can post to the forums.

Then, you have people in charge of moderating users. Those people can reset passwords, ban users, promote users, etc. Plus, they can post to the forums.

You have another group in charge of moderating content. They can modify/delete posts, rearrange the posts, etc, but they cannot do anything with user accounts. Plus, they can post to the forums.

Then you have the administrators who can do it all.

In this case, the user moderators and the content moderators both inherit from general users, but do not share permissions. There are certainly cases where multiple-group systems are useful, but they definitely aren't necessary in every system.

Aaron  2010-01-22 20:24:42

related questions

Can't copy file with appropriate permissions using FileIOPermission
GetProcessesByName() and Windows Server 2003 scheduled task
Starting a process in C# with username & password throws "Access is Denied" exception
How do you set directory permissions in NSIS?
PHP: How to check if a directory is writeable?
Sharepoint Item Level Access & performance
sudo echo "something" >> /etc/privilegedFile doesn't work... is there an alternative?
What is the best way to create a security architecture?
Hierarchical Group Permissions Theory/Resources?
Why is access denied when installing SSL cert on IIS 5?
What databases do I have permissions on
Can an iPhone App Be Run as Root?
SQLite/PHP read-only?
Multiple permission types (roles) stored in database as single decimal
SharePoint Permissions
CakePHP ACL Database Setup: ARO / ACO structure?
LINQ and Database Permissions
What's the best way to implement a SQL script that will grant select, references, insert, update, and delete permissions to a database role on all the user tables in a database?
php scripts writing to non-world-writable files
How do I detect if a function is available during JNLP execution?
Implementing permissions in PHP
Access Control Lists & Access Control Objects, good tutorial?
In Visual Studio you must be a member of Debug Users or Administrators to start debugging. What if you are but it doesn't work?
Where should I put my log file for an asp.net application?
What is the best way to handle multiple permission types?