I'm designing a portal's security architecture. The site has pages, videos, pictures, users, databases, file system objects, etc. What is the best way to control access to all of these objects? How would you store permissions? Is a 64-bit database variable enough for storing permissions?
E.g. Windows employs ACLs and SIDs. Do you have a more up-to-date solution?
I don't like idea of storing permissions as flags in one variable. I'd rather make roles objects in relation many-to-many with users.
For editing rights of the specific object I use an object's method or external function depending on how can I generalise security policies.
For a middle sized portals this approach works very good.
Most of the common web infrastructures have built-in security systems. ASP.NET, for example, has a security sub-system that fairly robust. Security is very hard to get right, so it's almost always the case that you're going to want to use a system that is being tested regularly.
If you absolutely have to write your own security system then I would suggest researching the various technologies like ACL, LDAP as user, groups, impersonation are all complicated topics and need to be researched in order to get the best match to your actual needs.
Whatever will you do, make it simple. Easier to make, easier to prove, easier to audit. Easier to adapt.
First, consider a group/user system. For each object define set of permissions, and then connect them like - this user has these permissions, this group has these permissions, etc.
If that's not enough for you (make sure it's really not enough), use some kind of ACL system, preferably integrated with your exisitng solution, and preferably as simple as possible.
I plan to follow Role-based access control security design pattern (Security Patterns: Integrating Security and Systems Engineering, p249). Role has association with ProtectionObject. The association name is IsAuthorised for. There is an association class called Right that has an accessType member and a checkRights method. Role is in many-to-many association with User. Association name is MemberOf. This structure can represent roles, users and permission check.
The main question for me is how to store permissions per object. Let's say we have pages, webparts, file system objects. I can store permissions for these objects in database. This method enables to control system objects and file system objects as well. It's a big question for me how to store and cache these permission sets in memory and how to check access efficiently.