La mejor forma de implementar RBAC con Access

I'm programming a new application with many users, a few roles and specific permissions for those roles. For that I want to create the following tables:

Users (ID,Login, password,..)
User_Roles(User_ID, Role_ID)
Permission_Roles(Permission_ID, Role_ID)

My idea was to build a function, which allows to check if a user has a specific permission to access a form. I would do that by creating Permissions/Rules like 'canReadFormX', 'canEditFormX' which would allow me to use one main function to check and perfom those specific rules and a function per form to call it.

Is that a way to go (or rather did I understand everything correctly regarding RBAC) or is that just far to complicated? Any advise is very appreciated!

preguntado el 31 de enero de 12 a las 08:01

1 Respuestas

It seems fair to me, and similar to what we have already set, for the first 3 tables.

You then have to solve the 'action' problem, ie to distribute permissions to use your appl's actions. I am not sure that your 'Permissions' proposal will cover all the situations, as you have to deal with 2 major categories of actions:

  1. The 'Open form' actions, that you already have identified: you effectively have to define 2 levels of authorisation for each form: the 'view' right, and the 'update' right.
  2. All other actions, such as form specific buttons or menus, that will allow you to run a specific action other than just opening a form (execute a report, make a specific calculation, automatically import or update data, etc).

One solution/My advice is to maintain 2 tables for this:

  • A 'Forms' table
  • An 'Actions' table

And the corresponding link tables:

  • A 'Form_Role' table
  • An 'Action_Role' table

With such a configuration, you are fully covered. You can even decide which role has the right to see a specific report on a specific form, as long as the corresponding action is accessed through a specific control or menu on the form.

Both Forms and Actions tables are very interesting as they both participate in your application metamodel...

EDIT: By the way, if you are on a domain, you can use user's domain credentials to control his\her access rights to your system. In this case you do not need to store a password in your RBAC system.

Respondido el 31 de enero de 12 a las 15:01

I really appreciate your detailed answer. We are not sure yet how secure our client wants the application (imo a simple permissions approach would be sufficient, for now and the future), but for further projects this is a really good idea. Our client is also working in a domain, so this could also be nice but I'm not quite sure if this is wanted. But again great idea, which I just didn't realize before. Ty! - cristiano

No es la respuesta que estás buscando? Examinar otras preguntas etiquetadas or haz tu propia pregunta.