I implemented something like this in a NAC company I founded (Lockdown

define('OP_GLOBAL_ADMIN',       10);
define('OP_ADMINISTRATOR',      20);
define('OP_OPERATOR',           30);
define('OP_EUM_OPERATOR',       39);
define('OP_READONLY',           40); 

//[dv]  only set the TRUE values, FALSE is implied. 
//              OP_GLOBAL_ADMIN && OP_ADMINISTRATOR permissions are all
TRUE by default, no $role array needed (yet).
//              follow the 'P_group_action' naming convention, check for
existing keys before creating new ones.

//[dv]  When you create a new P_permission, 
//              add it to this OP_READONLY operator role so we have a
master list to reference.
$role[OP_READONLY] = array(
        'P_about_button'                => TRUE,
        'P_switch_delete'       => FALSE,
        'P_switch_add'          => FALSE,
        'P_switch_test'                 => FALSE,
        'P_switch_save'         => FALSE,
        'P_ops_view'            => FALSE,
        'P_vlan_add'            => FALSE,
        'P_vlan_check'          => FALSE,
        'P_vlan_save'           => FALSE,
        'P_vlan_test'           => FALSE,
        'P_device_audit'                => FALSE,
        'P_device_add'          => FALSE,
        'P_device_save'         => FALSE,
        'P_device_import'               => FALSE,
        'P_device_delete'               => FALSE,

$role[OP_OPERATOR] = array(
        'P_about_button'                => TRUE,
        'P_device_audit'                => TRUE,
        'P_device_add'          => TRUE,
        'P_device_save'         => TRUE,
        'P_device_import'               => TRUE,
        'P_discovery_run'               => TRUE,
        'P_daterange_delete'    => TRUE,

* Check the permissions of a given button to see if this operator (User) is
allowed to use it.
* @access       public
* @param        string $role array hash index
* @return       boolean
* @author       Daevid Vincent [dae...@]
* @since (Folsom)
* @version      1.2
* @date         08/01/07
function checkGUIPerms($index, $user = null)
        global $role;
        if (!$user) $user = $_SESSION['user'];

        //[dv] we have to call this out explicitly because the
OP_READONLY->is_admin() is true.
        if ($user->type == OP_GLOBAL_ADMIN || $user->type ==
OP_ADMINISTRATOR) return true;
        return (($role[$user->type][$index] == TRUE) ? TRUE : FALSE);

Then in each web page, just do something like this:

<?php if (checkGUIPerms('P_device_delete')) { ?>
<INPUT TYPE="submit" CLASS="button-delete" NAME="action" VALUE="Delete"
ONCLICK="return confirmDelete( this.form, 'device');">
<?php } ?>

The more astute people will notice that this doesn't lend itself to user
defined roles as they're all hard-coded, but in our case that's all we
needed. However, it could be expanded and written/read from a database with
the same concept. Say with a table of role types (Operator, Admin, User,
Custom, etc.) and another master table of "P_*" roles and a third to 'join'
them. Pretty straight forward SQL.

The only trouble with the bitmask version Bastien mentions is that you have
to have a master bitmask map somewhere. Plus those numbers can get pretty
huge. A 255 character binary number is significant. Plus in a large
project, you can run out of space with 255 chars, the other SQL text/blob
column types are less efficient I'd think. But ultimately the concept is
the same as you're just using binary (true/false or 1/0) to determine if
someone has that particular grain of role flavored goodness.

"Some people, when confronted with a problem, think 'I know, I'll use
Now they have two problems. 

> -----Original Message-----
> From: Bastien Koert [mailto:phps...@gmail.com] 
> Sent: Monday, January 25, 2010 4:49 PM
> To: Abah Joseph
> Cc: php-db@lists.php.net
> Subject: Re: [PHP-DB] Role Based Access Control and Role 
> Based Security
> I developed an implementation that combines roles with fine grained
> access. Each role is given a set of permissions ( the current set is
> global to the app, the next will be per application) in it, I specify
> a db field ( varchar 255) that holds a binary permission scheme. I.E.
> 10011110100001111 etc where each value is an on / off 1/0 permission
> set. This is mapped to a constant for each position so that each
> module can have a set of permissions like ADD, DELETE etc.
> This scheme then controls the menu / buttons to produce a workflow for
> the application.
> Bastien
> On Monday, January 25, 2010, Abah Joseph <joefa...@gmail.com> wrote:
> > Hi list, thank to the wonderful people on this list.
> >
> > I am planning a system that require access to the system based on
> > Role, i love the implementation in SMF(www.simplemachines.org) that
> > every modules can define there own role and but i don`t know how.
> >
> > Users will be in group like Administrator, Editor, Manager 
> etc (i have
> > seen such on Joomla) and each module can define the action 
> each group
> > can perform e.g
> > An advertisement module will define something like 'Can add', 'Can
> > edit own', 'can edit any',  etc.. i am wondering what the database
> > structure/PHP Class will look like.
> >
> > I found a database Schema on Access Control at
> > http://www.databaseanswers.org/data_models/access_control/index.htm
> > but i can`t figure out the implementation in PHP.
> > Any idea will help.
> >
> > --
> > Share with free mind!
> > Join the world largest open forum for hackers and programmers.
> > http://www.tuwana.com
> >
> > --
> > PHP Database Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
> -- 
> Bastien
> Cat, the other other white meat
> -- 
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to