Thanks for this Ben, I've been working on a similar principle of the groups, you're defiantly right that it makes life easier. I've also started to work on the idea that if a user belongs to a group, they can have additional rights granted or indeed revoked, this gives the same level of control then as simple permissions, but allows the ease of access that the group method does.
The database plan I'm currently working on would use an additional column in the permission/user table which defines if it's an additional 'granted' permission of a 'revoked' one, it's still in the early stages and might not work how I want it too, but fingers crossed. Thanks, Rob -----Original Message----- From: Porter, Benjamin L. [mailto:[EMAIL PROTECTED] Sent: 24 May 2007 19:32 To: CF-Talk Subject: RE: Granular Security Model I prefer something similar to what James mentioned but with the addition of groups or roles. The groups or roles would have a member table joining them 1 group/role to many permissions. A user could have either roles, and or permissions. If they had the role they by proxy had all the permissions the role has. When you start to have dozens of different permissions having roles / groups simplifies the management of them. -----Original Message----- From: James Holmes [mailto:[EMAIL PROTECTED] Sent: Thursday, May 24, 2007 6:16 AM To: CF-Talk Subject: Re: Granular Security Model This could be normalised so that there is a user table, an enlitlement table and an m:n joining table between them (user_entitlement or similar). This way only a true (1) is indicated in the DB and you can assume false for everything else (inlcuding when initialising the struct in CF). On 5/24/07, Robert Rawlins - Think Blue wrote: > The structs method work nicely from a ColdFusion point of view, but I felt > the database was a little untidy as you had a separate database column for > each 'entitlement' which was set to 0 or 1 dependant on the permissions, > each user then had a row in this table. This was then stored in the struct > as key/value pairs with each entitlement having its one struct element and a > 'true' or 'false' value, you can then do something like <cfif > Session.User.Entitlements.DeleteUser> to check if the user has that > permission. -- mxAjax / CFAjax docs and other useful articles: http://www.bifrost.com.au/blog/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Upgrade to Adobe ColdFusion MX7 Experience Flex 2 & MX7 integration & create powerful cross-platform RIAs http://www.adobe.com/products/coldfusion/flex2/?sdid=RVJQ Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:279181 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
