Folder permissions based on users and groups

views:

162

answers:

Folder permissions based on users and groups

Hey Im working on a folder tree and need to be able to limit the visibility of certain folder based on the user and the group they belong to. I already have a database representation of all the folders in the tree and the hierarchy of the folders. My question now is how to best represent the permissions.

If I have to possibly look up permissions in a separate table for each folder out there, this could get expensive ( I am granting that because of the hierarchy, we can hide all children of a hidden folder node so they can be discounted).

Does anybody have any good models and algorithms that would make this better? I figure unix file systems have been doing it for awhile, so there must be some really good ideas about how to model this problem.

Note that in the model I am dealing with there is no "owner" of the folder. A folder can be visisble to a user on a case by case basis.

I'm using Java and Mysql btw

+1 A:

On a basic level, the best thing to do is go with your first instinct and create a look-up table for the permissions against the unique id of the folder.

Then benchmark.

If it's too resource-dependent, you could include the permissions as part of the folder representation in your core database.

But get it working first, and then work out if the performance penalties are too high.

deworde 2010-09-07 19:14:15

The performance costs are too high for me to just use a look up table. I could include it as part of the folder representation, but I would rather not add three more columns to track whether the folder is hidden for a group, user and all users.

stevebot 2010-09-07 20:06:19

Then don't. Add one more column, and aggregate that information into a single checksum.

deworde 2010-09-08 09:52:09

Also, I assume you mean "the folder grants access to 'only its group', 'only its creator' or 'all users'". Otherwise you'd have to grant permissions on a user by user basis, and I'm not sure that'll scale well.

deworde 2010-09-08 09:54:08

If you want the example of how Unix handles combining the permissioning into one easy to check number: {http://www.zzee.com/solutions/unix-permissions.shtml#zzee_link_3_1077830297}

deworde 2010-09-08 09:56:26

In addition to that permission column, he needs to save the user and group for each folder. So i think with three columns he meant user (owner), group and permissions.

rudi-moore 2010-09-08 10:56:25

The permissions will enable a folder to be viewed/not viewed by thousands of users on a case by case basis. I need a mapping between the folder and all those users.

stevebot 2010-09-08 15:21:57

I also realized that the three column idea will not work because I need to map the folder to multiple users and groups. :(

stevebot 2010-09-08 15:31:10

Ah. Then the best thing to do is to use the idea above, but to manage the access group in such a way that it can contain other groups.e.g. "group you're giving access to" becomes a subset of "group who are granted access".

deworde 2010-09-09 10:53:20

Basically, you need to make your insertion and removal of members from groups more complex, so that you can reduce the time it takes to check whether a user has access.This is fine, because granting permissions is a far rarer operation than checking them, so it can be as inefficient as is necessary.

deworde 2010-09-09 10:58:30

One thing to consider: Altering permissions is a rare operation, as is checking permissions for a group, whereas checking permissions for an individual user is incredibly common (every time a user accesses a folder). So the best way to write the algorithm is to bias speed towards checking the mapping from user/folder, and against privilege alteration.

deworde 2010-09-09 11:04:10

+1 A:

I guess it depends on how your system will be used, specifically the number of users & folders.

You could:

build entire folder structure per user each time a user "logs on"

Gives you fast traversal, with a higher initial overhead (depending on what your application is this may not be noticable)

build single level folder structure each time a user changes their current working folder

Removes any initial overhead, for users who don't change folders there's no performance cost

As for representing the permissions, you might want to look at how the NTFS permission model works, you can grant or revoke permissions, and set them to inherit or not. This is probably the most complicated you could get, if you can simplify to not handle revoked permissions and always inherit you just need to traverse the folder hierarchy from top down until you find a grant or terminate. Depending on how you allow users to navigate your structure you can nicely simplify this to just listing nodes under the current folder that a user can see, as they must already implicitly be able to see the current folder.

Schema wise you have a many-to-many relationship between folder & user/group (you can should you wish model users and groups as a single entity), your permission object is either a simple boolean, or a more complex object depending on what permission types you want to support. I'd setup something like this, using one of the isValid methods depending on how complex your model is.

alt text

Jon Freedman 2010-09-10 12:44:49

ansaurus

tags:

views:

answers:

Folder permissions based on users and groups

build entire folder structure per user each time a user "logs on"

build single level folder structure each time a user changes their current working folder

related questions