|
Hi McE, Actually, I was writing all of this up yesterday, but left off half way through when I decided that nobody would be particularly interested... Using your definitions, Patrick, I simply do not deal with Permissions or Roles. I have People and I have Groups. Data about People and Groups is stored in LDAP. My global authentication function confirms who you are, and creates a "session" variable that contains a list of all the Groups that you are in. So what are these Groups? Although the authentication/authorisation/customisation system thinks all Groups are exactly the same, conceptually there are two different kinds of Group: IndependentGroups and ApplicationGroups. IndependentGroups exist independent of any IT system - they are social and organisational constructs. Where I work, I am a member of these:
ApplicationGroups only have meaning in
the context of particular IT systems. They are what I would usually
describe as "roles" (as opposed to your role definition, Patrick). I am a
member of many ApplicationGroups (I have many roles):
So, what do I do with these?
The API of my authorisation/customisation system has a
single function,
isMember(GroupList). It returns a
Boolean value which is true if the authenticated user is a member of one of the
Groups in the list.
So the simplest way to secure or customise a
piece of code using this function is like this:
<cfif isMember("Web Unit,
WWR-users")>
<a
href="index.cfm?fuseaction=wwr.default">Web Work
Register</a>
</cfif>
In practice, though, it's more likely to look like
this:
<cfif
isMember(WWRGroups)>, where WWRGroups is a list that has been
defined in fbx_settings.
Now it's perfectly okay, and often done, to do
this:
<cfif isMember("Web Unit,
WWR-users")>
<cfset WWRflag =
true>
</cfif>
...
<cfif WWRflag>
<a
href="index.cfm?fuseaction=wwr.default">Web Work
Register</a>
</cfif>
... but that is only done when a large clump of code needs to ask that same
question several times. Testing the flag is quicker than testing
isMember() repeatedly. In other words, that's a coding decision, not an
architectural or modelling decision.
That's all there is to the authentication/authorisation/customisation
system. The Coder may choose to create flags representing permissions if
they wish, but that is not the conceptual level at which the system was
designed. The basic concepts are People, Groups, and BusinessRules
;-)
That's about it. I built this system about three years ago, because
Advanced Security seemed far too arcane, and we use it across some 100 Intranet
applications now. I hope I didn't get it all badly wrong ;-(
See ya,
LeeBB ----- Original Message -----
==^================================================================ This email was sent to: [email protected] EASY UNSUBSCRIBE click here: http://topica.com/u/?bUrFMa.bV0Kx9 Or send an email to: [EMAIL PROTECTED] T O P I C A -- Register now to manage your mail! http://www.topica.com/partner/tag02/register ==^================================================================ |
- RE: secure tag and permissions hal helms
- RE: secure tag and permissions Lee Borkman
- Re: secure tag and permissions Jeff Peters
- RE: secure tag and permissions Patrick McElhaney
- Re: secure tag and permissions Lee Borkman
- Re: secure tag and permissions David Huyck
- Re: secure tag and permissions Steve Nelson
- RE: secure tag and permissions hal helms
- Re: secure tag and permissions Steve Nelson
- RE: secure tag and permissions Patrick McElhaney
- RE: secure tag and permissions Lee Borkman
- RE: secure tag and permissions Patrick McElhaney
- Re: secure tag and permissions Jeff Peters
- Re[2]: secure tag and permissi... Toby Tremayne
- OT: Oracle on Pro Gavin Lilley
- Re: secure tag and permissions David Huyck
- RE: secure tag and permissions Alan McCollough
- RE: secure tag and permissions hal helms
- RE: secure tag and permissions BOROVOY Noam
- RE: secure tag and permissions Matthew W Jones
