Why did you thought it was to strict, you are able to modify roles, and permissions to what you like to? I've spend alot of time setting up a new security framework for my CMS, because the previous one was too simple. What I've come up with is the following: Departments, Roles, Policies, Permissions, Users A department contains roles, the roles can be shared among other departments. A department can be "marketing" "administration" "sales" etc.. Roles are "author" "editor" "publisher" etc.. it is up to you how many you want to have. Policies are a collection of permissions. It is basically a configuration of permissions. These policies can be shared among, departments, roles and users. If you have a department with a policy you can override the policy by setting a policy on the role, or you can override that policy by setting a policy on the user. A permission consists out of "add" "edit" "delete" "approve" "set permissions" etc. These are fully extendible in any way you want to. A user .. .. well.. this one is obvious. A user may only do a single role in a department, but is able to be in multiple departments as long as he is doing a single role in that department. So user "john" is allowed to do the "author" role in department "marketing" and .. do the role "editor" or "author" in department "sales". John is not allowed to do multiple roles in a department. I can provide you with a database scheme, because I have the system working. The usability of this system is very dependent on your interface. Provide the user with a bad management interface and they get lost, provide them with a good interface and you have a very flexible, scalable security system.
________________________________ From: The Wolf [mailto:[EMAIL PROTECTED] Sent: Mon 12/20/2004 9:47 PM To: CF-Talk Subject: ColdFusion built-in tags and permission-based security framework Hi all, I need to implement a new security framework for my ColdFusion applications (CMS, etc.). I used a role-based security model in the past and I found it too strict, that's why I would like to implement a permission-based security framework now. Check out the following article about the benefits of a permission-based security model over role-based one: "Rethinking Roles-based Security" <http://www.halhelms.com/index.cfm?fuseaction=newsletters.show&issue=052203_rolesBasedSecurity> I came up with the following database schema (Oracle), that should be sufficient to implement a permission-based security model, like the one outlined in the above article: CREATE TABLE Person ( PersonID INTEGER NOT NULL, FirstName VARCHAR2(40) NOT NULL, LastName VARCHAR2(40) NOT NULL, PRIMARY KEY (PersonID) ); CREATE TABLE Group ( GroupID INTEGER NOT NULL, GroupName VARCHAR2(20) NOT NULL, GroupDescription VARCHAR2(40) NOT NULL, PRIMARY KEY (GroupID) ); CREATE TABLE Person_Group ( PersonID INTEGER NOT NULL, GroupID INTEGER NOT NULL, FOREIGN KEY (GroupID) REFERENCES Group, FOREIGN KEY (PersonID) REFERENCES Person ); CREATE TABLE Permission ( PermissionID INTEGER NOT NULL, PermissionName VARCHAR2(20) NOT NULL, PermissionDescription VARCHAR2(40) NOT NULL, PRIMARY KEY (PermissionID) ); CREATE TABLE Group_Permission ( GroupID INTEGER NOT NULL, PermissionID INTEGER NOT NULL, FOREIGN KEY (PermissionID) REFERENCES Permission, FOREIGN KEY (GroupID) REFERENCES Group ); Let me make a quick example of how this database schema is supposed to work: - My sample person is a member of the 'Admin' Group; - The admin Group has several Permissions: 'addUser', 'modifyUser', 'removeUser', 'addDocument', 'modifyDocument', 'deleteDocument', etc.; - The sample person will be able to access all the features that require any of the Permissions above: add, modify and delete users and documents; Now I have to start coding the CFML files and I am not sure if I should use the ColdFusion built-in security tags and functions: <cflogin>, <cfloginuser>, IsUserInRole, etc. If I got it right, what is called a 'role' in the ColdFusion built-in tags and functions is a 'Permission' in my database schema. So when my sample user logs into the system, I should have the following code (of course the username/password and roles assignation will be dynamic in the production code): <cfloginuser name="myuser" password="mypasswd" roles="addUser,modifyUser,removeUser,addDocument, modifyDocument,deleteDocument"> And I should use the following code to check if the user is authorized to add a document: <cfif IsUserInRole("addDocument")> *authorized* <cfelse> *not autorized* </cfif> If this is the correct use of the tags and functions, I am a bit worried about the ColdFusion built-in security framework scalability. Will it still work fine if I add a lot (e.g. 50-100) 'roles' ('Permissions' according to my db schema) to each user using the <cfloginuser> tag? Any slowdown or memory problem on the server? Do you think I should use custom UDFs or CFCs instead? Also, I'd like to hear any suggestion or criticism about the security framework I want to implement ... I am sure I am missing something. :-) Thanks a lot. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Special thanks to the CF Community Suite Gold Sponsor - CFHosting.net http://www.cfhosting.net Message: http://www.houseoffusion.com/lists.cfm/link=i:4:188329 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
