Hierarchical Group Permissions Theory/Resources?

Question

Does anyone know of some good resources related to setting up heirarchical user account systems? I'm currently setting one up and am struggling with some of the more complex logic (especially with determining permissions). I was hoping I might be able to find some resources to help me along.

Some Background: I'm building a user account system for a web CMS that allows for a nested group hierarchy. Each group can be allowed/denied access to read, write, add, and delete (either explicitly for that group, or implicitly by one of its parents). As if that weren't complicated enough, the system also allows for users to be members of multiple groups. -- This is where I'm stuck. I've got everything set up, but I'm struggling with the actual logic for determining pemissions for a given user.

Answer 1

Look at the permissions in the Andrew File System. It allows users to create and administer groups of their own, while selectively assigning admin rights and ACLs. You might find that many of the pesky details are already worked out for you in their model.

Edit: here's a better link to AFS documentation:

http://www.cs.cmu.edu/~help/afs/index.html

Here's the section on groups:

http://www.cs.cmu.edu/~help/afs/afs_groups.html

Answer 2

The manual for CakePHP has an excellent description of how Access Control Lists work.

http://book.cakephp.org/view/1242/Access-Control-Lists

Answer 3

I've done exactly this before and its no trivial implementation. You're going to want to look at the SecurityPermission class.

[http://msdn.microsoft.com/en-us/library/system.security.permissions.securitypermission.aspx][1]

I have done this before by utilizing XML (which I'm not sure I'd do again) and storing that XML as permission list inside of SQL server in an XML column through a CLR stored proc. The XML would have an element called a "permission" and then the permission would actually be a ENUM inside of the code. Each permission was a new implementation of the SecurityPermission class (linked above) Users were tied to groups which were defined in SQL server and then as the user was added/removed to groups, the XML doc would get updated to reflect which groups they were apart of.

As soon as the user logged in, the users credentials would be loaded into the application store (session) and then would be accessed accordingly. When authorization needed to take place the XMl in the application store would be pulled down loaded into the SecurityPermission via the "FromXML" method. At that point I would use the following methods to determine if the user had permission:

• Demand
• Intersect
• Union
• IsUnrestricted
• IsSubSetOf

etc., etc, etc.

At that point after performing the Demand I was able to determine if the caller had access according to how I implemented my security routines in the SecurityPermissions.

Again, this is leaving out a TON of detail, but this should get you going down the right path.

Take a look at this name space as well: [2]: http://msdn.microsoft.com/en-us/library/system.security.permissions.aspx "System.Security.Permissions"

Answer 4

Represent the permissions set for a given group as a bit mask. OR-ing the bit masks together will give you the resultant permission set.