[英]Best way to set up database tables for permissions
I'm wondering the best way and how many tables to use for handling permissions for my application. 我想知道最好的方法以及使用多少个表来处理我的应用程序的权限。
I want to give a user access to either: 我想授予用户访问以下任一权限的权限:
I have a table already for projects, a table for users and a table for clients. 我已经有一个用于项目的表,一个用于用户的表和一个用于客户的表。
Would you create 3 new permissions tables eg "Permission_Project", "Permission_Client" and "Permission_All" or a combined table? 您将创建3个新的权限表,例如“ Permission_Project”,“ Permission_Client”和“ Permission_All”还是组合表?
Thank you 谢谢
It will be better to create a table with your users first. 最好先与用户一起创建表。 For example, table with the following columns:
例如,具有以下各列的表:
UserID
Login
FirstName
LastName
...
Then to create a table with security groups, with the following columns: 然后使用下面的列创建一个包含安全组的表:
SecurityGroupID SecurityGroupName SecurityGroupDescription ... SecurityGroupID SecurityGroupName SecurityGroupDescription ...
Then, in your permission tables, you can store for example, which projects and clients are visible by each security group. 然后,在权限表中,可以存储例如每个安全组可见的项目和客户端。 For example:
例如:
ProjectID SecurityGroupID
100 10001
100 10002
...
meaning that project ID 100
is visible by groups 10001
and 10002
and 表示项目ID
100
在组10001
和10002
可见,并且
ClientID SecrutiyGroupID
1001 10001
...
meaning that client with ID 1001
is visible by group 10001
. 意味着ID为
1001
客户端在组10001
可见。 And the last table you need is for users - security group associations: 最后,您需要的表是用户-安全组关联:
UserID SecurityGroupID
So, you need to create two interfaces: 因此,您需要创建两个接口:
And for easier work with the tables, generally a function is created with input parameter user id, which outputs the visible clients/projects by the given user. 为了简化表的使用,通常会使用输入参数user id创建一个函数,该函数输出给定用户的可见客户端/项目。
Also, consider adding a access type in your permission table - for example, view
or deny
. 另外,请考虑在权限表中添加访问类型-例如,
view
或deny
。 So, you can make a use a member of group which is seeing all clients for particular project, and at the same time make a user member of group that is denying the access to particular client in the same project. 因此,您可以使用查看特定项目的所有客户端的组成员,同时使拒绝该项目中的特定客户端访问的组用户。
It is more easy to grant access to project containing 30 clients, and then deny the access for one of the clients, then granting access to 29 clients. 授予对包含30个客户端的项目的访问权限,然后拒绝其中一个客户端的访问,然后向29个客户端授予访问权限,则更容易。 Also, it is more convenient to work with groups of users, then with many users.
同样,与多个用户组一起工作比与许多用户一起工作更方便。 For example, in your application you may have code like this:
例如,在您的应用程序中,您可能具有以下代码:
If member of group 'show all clients' then render this HTML
which is better then: 那就更好了:
if used id in (101,102,103,104...) render this HTML
It is easier, right? 更容易吧?
Plan, well before codding this. 做好计划,然后再解决这个问题。 Once the application code is increased and the system starts working,it may become very difficult to change how you are handling security and permissions.
一旦增加了应用程序代码并且系统开始运行,更改您处理安全性和权限的方式可能会变得非常困难。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.