On Saturday, August 17, 2002, at 12:01 , Matthew Walker wrote: > So for a complex app I would typically assign a permission to every action > that could be performed, then I would be assigning various (maybe hundreds > of) permissions to different user groups. But on top of that I would like > to > add or restrict individual permissions on a user by user basis. My current > process for managing that would be for the database to be queries to find > out if user X was allowed to perform action Y. Is it realistic to use the > cflogin roles to store literally zillions of permissions?
Let's be realistic about this... Most applications have a few roles / personas / whatever and may have several groups to which users belong. For most applications, cflogin is going to work just fine. Like all out-of-the-box systems, it isn't a panacea. I don't really believe you would "assign a permission to every action". I think in a well-designed application, you would partition operations into categories and assign a role to each category. For example, macromedia.com will have a single role for all authenticated users and then one or two sub-roles below that. On top of that, we have one specialized application that is heavily role-based and for that application alone, we use a custom schema to describe user roles. In our publishing system, we use a workflow engine to control who can do what in terms of edit, review, make-live etc. It manages its own user groups although it uses cflogin as the top-level framework. Elsewhere, we use the 'authenticated user' role to secure CFC methods. However, we also ensure the web site's navigation flow keeps people away from operations that they should not execute - the CFC-level security is mostly to prevent unauthorized access via Web Services to our methods. Perhaps if you could be a little more specific about your application, we can work together to design some infrastructure that will provide a good mix of cflogin with custom group management? Sean A Corfield -- http://www.corfield.org/blog/ "If you're not annoying somebody, you're not really alive." -- Margaret Atwood ______________________________________________________________________ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
