• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

design query

 
Ranch Hand
Posts: 116
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
we are developing a general authentication and authorization application

This is supposed to cater to multiple products of our organisation

Lets say Product A , B & C

We are planning to have different roles which are common ( a master set of roles )

Depending on each applications needs - the roles can be mapped in a mapping table

We also have a set of common functions that user can perform :: ie CRUD operations

Upto this point here is the db design ::

Master table for Products ( Product A , B , C etc )
Master Table for Roles ( Admin , Manager , End user , SuperAdmin etc )
Master Table for Functions ( CRUD operations etc )

Mapping tables ::
1 >
Product_Role_mapping :: Maps the Products to the roles ( Product A might only need roles of " Admin " & " EndUser" while Product B might need roles of "Admin" , " Manager " , " SuperAdmin" )

Now here is my question ::

In addition each role can perform different functions for different products ( defined by business )

As an example ::
"Admin" in "Product A " can " Create " , " Edit " & " delete "
"Admin" in "Product B " can " Create " but NOT ALLOWED to " Edit " & " delete "

I was wondering ::
Option A :: use another database table in which we map the product , role , functions
This would indicate that for a given product , given role - these are allowed functions

Option B :: in Java code check what product it is and what role and programmatically decide if the operation is allowed or not

Personally feel Option A is good.

To what extent is such design relying on db for configuration good ?
should we externalise it from db into a config file ( xml , csv ) for the same ?

One more question regarding another requirement

For the same product ( as en example Product A - there are three roles ::
Admin , Manager & End user )

Admin can Delete Manager as well as End user
Manager can delete end user but NOT Admin
End user can perform no delete operations

The problem here being even with a db mpping table for earlier req - the issue is that for same product the same role can perform " delete" but that "delete" depends on who the logged in user is and on what type(role) of user it is performed .

So for such a situation - what would be the approach ?

Any ideas , criticism is welcome !

Thanks ,
~satish
 
Ranch Hand
Posts: 213
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In my view, ProductAAdmin and ProductBAamin are different roles because their functions are different. So you should create more roles, as an example:

Admin1 (Create, Modify)
Admin2 (Create, Delete)
Admin3 (Create, Delete, Modify)

Map roles to functions, keep products separate from functions.
Map products to users (admin user or other users) and users to roles.

product>users>roles>functions

As far as using XML or CSV is concerned, I don't think there is agreement on this issue in the industry. You can use property files to define roles and functions (like ACLs) but then you will have to make sure file is re-loaded when you change things. Advantage here is that roles are closer to the application logic where they belong, database is for domain data, hence roles do not belong there. But as I said I am still waiting for a stronger argument in favor of files over db tables.


I could not get your last question, if you elaborate I can try to answer.
 
satish bodas
Ranch Hand
Posts: 116
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Varun for your views

earlier question ::
One more question regarding another requirement

For the same product ( as en example Product A - there are three roles ::
Admin , Manager & End user )

Admin & Manager can Delete "End user"
Manager can delete "end user" but NOT "Admin"
End user can perform no delete operations

even with a db mpping table for earlier req - the issue is that for same product the same role can perform " delete" but that "delete" depends on who the logged in user is and on what type(role) of user it is performed .

So for such a situation - what would be the approach ?



what I meant here was that even if we were to design the db table such that we assign what "role" can perform what "functions" in this case the "delete" function can be performed by both "Admin" and "Manager"

However what user type can delete which other user type is further refined

In such a case - would it be fair to place the app logic in application ::

Ex ::


Thanks ,
~satish
[ July 25, 2008: Message edited by: satish bodas ]
 
Varun Chopra
Ranch Hand
Posts: 213
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

However what user type can delete which other user type is further refined



Again, flatten that out into multiple functions:

<Function List>
Delete Product
Delete User
Delete ADMIN
Delete Manager

And assign all above to ADMIN role, "Delete User" and "Delete Product" to Manager role and so on.
 
satish bodas
Ranch Hand
Posts: 116
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks Varun
 
Varun Chopra
Ranch Hand
Posts: 213
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You are welcome.
 
Ranch Hand
Posts: 239
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

[ July 30, 2008: Message edited by: Rajah Nagur ]
 
It would give a normal human mental abilities to rival mine. To think it is just a tiny ad:
a bit of art, as a gift, that will fit in a stocking
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic