How to implement a group & role based permission system?

4
votes

I am currently building an application in PHP using the Symphony 2 library, but I guess this question is applicable to any sort of web application. Here is the basic infrastructure I would like to implement:

  • every user is part of one or multiple groups
  • every group implements one or more roles
  • roles implemented by a group apply to all users in that group
  • a user can implement additional roles not in its group

An example

  • a group 'writers' implement the 'writer' role and the 'comment moderator' role
  • an group 'administrators' implements the 'admin' role
  • a user 'Henry' is part of the writer group, and the administrator group
  • a user 'Henry' implements the 'owner' role

The roles affective for that user would be 'writer', 'comment moderator', 'administrator' and 'owner'.

Edit

Is it a good practice or not to have this behavior : user can inherit roles from its own group and can have individual roles as well. And if so, how to make it real ?

I thought of 5 tables :

Users :

  • id
  • name

Role :

  • id
  • name

UserRole :

  • id_user (FK)
  • id_role (FK)

Group :

  • id
  • name

GroupRole :

  • id_group (FK)
  • id_role (FK)

UserGroup :

  • id_user (FK)
  • id_group (FK)

This could work and the main problem would be to prevent adding an individual role a user already has from the groups it belongs to.

Be it seems to be a little complicated. Is there any better way to do so ?

Thanks

2
phproles
So... what is the question? It seems like you have it all planned out in your mind, so what part of it do you want our help with? - Majenko
Edited my own post ;) - Rybus
You are basically describing a fairly normal system there, and have worked out the normal tables you would have. Is there a problem with a user having a role that is in their group as well? Does that really make a difference? They have the role, it doesn't matter where they get the role from, or if they have the role twice - if they have it they have it. - Majenko
Okay so it is not a chocking to implement it this way ? Is it how people do ? - Rybus
One of the most common forum systems (phpBB) does exactly that, and it's perfectly happy. The main thing to remember is to ensure you craft your queries and tables (indexes) right to keep the speed optimal. - Majenko

2 Answers

6
votes

What you are describing is a fairly normal and common permissions system. It is a system used throughout the world in many different forms. In fact, you are most probably using it in some similar form by just using this website. Certainly, if you ever used a forum using phpBB you will have used it.

The tables you have described are pretty much standard. One user, many groups, a table to link them. One user, many roles, a table to link them. One group, many roles, a table to link them. It's all pretty standard stuff.

The main caveat, with a more heavily loaded system, is to ensure that your tables and queries are optimized in such a way as to keep server load down. That means making sure you have indexes on the right columns, etc. The MySQL command explain can really help you to check you have it right.

There are other similar ways of achieving the same results using less tables, which in some situations may be more optimal, or may be less optimal, it depends entirely on your system. The most common way is to basically compress the joining tables into a single field in the "single" end table, so the user would have a field that has a list of the roles in it, and another that has a list of the groups in it. Similarly with the groups - a field that has a list of the roles in it. How you encode that information is up to you. I commonly use JSON to encode array information into table fields as it is self-escaping. All it does though is shift the processing from the SQL server to the interface script.

And does it matter if a user has the same role both individually granted and inherited from a group? It shouldn't. If a role consists of a flag that says the user is (or is not) allowed to perform a specific function, and they get that flag twice, do they have more of the flag? Can a flag be off, on, and more on? Not normally, no. You'd have to go out of your way to program a system that would act like that.

Of more interest is what happens when you have two roles that conflict - one that says they can do something and one that says they can't do it. Which do you pick - the one that lets them do it or the one that stops them doing it? That is entirely your choice, of course. Incidentally, phpBB has 3 states for a permission - YES, NO and NEVER. YES can override NO, but can't override NEVER.

0
votes

You are talking about RBAC. It could by implemented for example via PHP-RBAC. For Symphony i found UserRbac.