• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Ron McLeod
  • Junilu Lacar
  • Paul Clapham
  • Liutauras Vilda
  • Jeanne Boyarsky
  • Rob Spoor
  • Bear Bibeault
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Piet Souris
  • Carey Brown
  • Stephan van Hulst
  • Frits Walraven
  • fred rosenberger
  • salvin francis

Designing a privileges based system

Ranch Hand
Posts: 94
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hello Guyz
I am trying to design a privileges based system for our intranet.
At a high level following functionality is required.
The organization has hierarchy across departments and strategic business units of various depths. Users are attached to any number of hierarchy positions. At the last level we have projects were the bulk of the users are attached.
Ex. 1: The same user could be heading the company and so would be attached to the Corp. hierarchy (top level). He/She could also be the head of quality and so will have an attachment at Quality Dept. level.
Ex. 2: The same person is attached to various projects under different Strategic Business Units (same level as Department: Ex. Production 1 at the same level as HR) performing different roles - Ex. he/ she is a manager in one project and a team member in the other project.
What strategy will enable us to ensure that people do not have access to data in hierarchies were they have no privilege. Obviously a boss automatically have access to subordinates data. Also some of the information is key, ex. Salary figures. So though the person might have access to employee details but for some roles we might want to restrict visibility of such key data.
Please provide your insights on the implementation of such a system

What if this is as good as it gets ?
Ranch Hand
Posts: 782
Python Chrome Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The scenario you paint is implemented via access control lists/role based security. What you would do is to attach
"grants" and "deny's" on objects that you are protecting. A
collection of "grants" and "deny's" will be your ACL. Most databases implement such a security scheme. If its web pages
that you're protecting, you might want to look into Apache Turbine for inspiration.
    Bookmark Topic Watch Topic
  • New Topic