How to Store Role-Based Access Rights in a Web Application

Securitysessionweb-development

Currently working on a web based CRM type system that deals with various Modules such as Companies, Contacts, Projects, Sub Projects, etc. A typical CRM type system (asp.net web form, C#, SQL Server backend). We plan to implement role based security so that basically a user can have one or more roles.

Roles would be broken down by first the module type such as:

-Company

-Contact

And then by the actions for that module for instance each module would end up with a table such as this:

Role1 Example:

    Module   Create  Edit        Delete   View
    Company   Yes    Owner Only    No     Yes
    Contact   Yes    Yes           Yes    Yes

In the above case Role1 has two module types (Company, and Contact). For company, the person assigned to this role can create companies, can view companies, can only edit records he/she created and cannot delete. For this same role for the module contact this user can create contacts, edit contacts, delete contacts, and view contacts (full rights basically).

I am wondering is it best upon coming into the system to session the user's role with something like a:

List<Role> roles;

Where the Role class would have some sort of List<Module> modules; (can contain Company, Contact, etc.).? Something to the effect of:

class Role{
string name;
string desc;
List<Module> modules;
}

And the module action class would have a set of actions (Create, Edit, Delete, etc.) for each module:

class ModuleActions{
List<Action> actions;
}

And the action has a value of whether the user can perform the right:

class Action{
string right;
}

Just a rough idea, I know the action could be an enum and the ModuleAction can probably be eliminated with a List<x, y>. My main question is what would be the best way to store this information in this type of application: Should I store it in the User Session state (I have a session class where I manage things related to the user). I generally load this during the initial loading of the application (global.asax). I can simply tack onto this session.

Or should this be loaded at the page load event of each module (page load of company etc..). I eventually need to be able to hide / unhide various buttons / divs based on the user's role and that is what got me thinking to load this via session.

Any examples or points would be great.

Best Answer

Well, I think your design is fine I would only recommend you only a simple thing on how to store the roles. I have here a system that has almost the same concepts. It is not based on roles as per the name.

So I have a user session object with objects of type Map that store the permissions that the user has. And this Map objects is filled on demmand It will be something like:

public class UserSession {
    HashMap<Application, Action> map;

    public boolean hasPermissionApp( Application app ){
        if ( !map.containsKey(app) ){
            //check if the user has the permission on the DB or whatever you store it
            //if it has add it to the map with the action that 
            //it came along and return true
            //if it hasn't return false
        }
        return true;
    }

    public boolean hasPermissionAction( Application app, Action act ) {
        if ( hasPermissionApp(app) ){
            if ( !map.get(app).containsKey(act) ){
                //check if the user has permission to that action of the app
                //if it has add to the map and return true
                //if not return false
            }
        }
        return false;
    }
}

That way you load the user permisson and store it by demmand and don't overload the session object with the full set of permissions that the user has.

EDIT

As OP asked on the comments:

Do you fill this hashmap at every sort of click event that requires role permissions?

The answer is almost this. When the user logs in an application the user session object is empty, so for the Application that He is logging in I would check if He has access and if so, I add it to the map with the first Action that was called by that Application lets say 'View'. And with this Action the user can see the search form.

Here you can have two approach. Which is what you asked!

Check permissions when the user fire the events like with this 'View' Action it can see the entire form with the buttons search, add, cancel (or whatever others) But the permission will be checked only when the user press the button. Then it if have you add to the map or send him a message saying that it does not have that permission.
Check the permission when rendering the actions. You only show the buttons on the form if the user has that appropriate Action associated to it. So lets say you are using a component library like Richfaces it would be like this:

<a4j:commandButton rendered="#{userSessionObject.hasPermissionAction('appBla','search')}" ..... />

And since this is created on the construction of the page the map would be filled on every check permission that is made on the page or other resources.

And on my application i choose for the second approach, because I don't think that make sense to show a button to a user that does not have the access to it.

Edit 2

A thing that maybe is usefull is that I associate a thread timing (configurable time) to the user session that clean up the maps on the userSessionObject, so if some administrator change permissions to that user at some point it will have his permissions updated automatically, not exactly at prompt but this was a acceptable requirement to this particular system.

Related Solutions

Java – HTTP Session: A single object or multiple

1 key, 1 object will be more predictable regarding interaction with app server and possible session replication techniques. Not sure what you mean by "set of final static String" being necessary. You may manage session keys any way you like.

Consider you have 20 preferences, and perhaps your preferences class has an enum of preference names. Could get/set session a little bit indirectly:

class Preferences {

    private static final SESSION_KEY_PREFIX = Preferences.class.getName()+'.';

    enum Name {
        LOCALE,
        ...
    }

    static String get(HttpSession session, Name name) {
        return (String)session.getAttribute(SESSION_KEY_PREFIX + name.name());
    }

    static void set(HttpSession session, Name name, String value) {
        session.setAttribute(SESSION_KEY_PREFIX + name.name(), value);
    }

    static void clear(HttpSession session) {
        for(Name name : Name.values()) {
            session.removeAttribute(SESSION_KEY_PREFIX + name.name());
        }
    }
}

You may then add preferences by just adding to the enum, and all specific interaction with the session is encapsulated.

This example pretty trivial so the Preferences class itself could also become an enum instead, without a separate "Name" enum. Which could be:

enum Preference {
    LOCALE,
    ....;

    private final String sessionKey = Preference.class.getName()+'.'+name();

    String get(HttpSession session) {
        return (String)session.getAttribute(sessionKey);
    }

    void set(HttpSession session, String value) {
        session.setAttribute(sessionKey, value);
    }

    static void clear(HttpSession session) {
        for(Preference pref : Preference.values()) {
            session.removeAttribute(pref.sessionKey);
        }
    }
}

Security – Role vs Permission Based Access Control

(1) What is so "bad" about checking Roles for access control? What benefits are gained by checking for permissions instead?

At the moment of checking, the calling code only needs to know "does user X have permission to perform action Y?".
The calling code does not care about and should not be aware of relationships between roles and permissions.

The authorization layer will then check if the user has this permission, typically by checking if the user's role has this permission. This allows you to change authorization logic without updating the calling code.

If you directly check for role at the call site, you are implicitly forming role ⇄ permission relationships and injecting authorization logic into the calling code, violating separation of concerns.

Should you later decide that role foo should not have permission baz, you would have to change every code which checks if the user is a foo.

(2) In this scenario what useful value do Roles even provide? Couldn't we just assign 1+ Permissions to Users directly? What concrete value of abstraction do Roles offer (can someone give specific examples)?

Roles conceptually represent a named collection of permissions.

Let's say you are adding a new feature which allows a user to edit certain settings. This feature should be available to administrators only.

If you are storing permissions per user, you would have to find all users in your database which you somehow know are administrators (If you're not storing role information for users, how would you even know which users are administrators?), and append this permission to their list of permissions.

If you use roles, you only have to append the permission to the Administrator role, which is both easier to perform, more space efficient, and is less prone to mistakes.

Best Answer

Related Solutions

Java – HTTP Session: A single object or multiple

Security – Role vs Permission Based Access Control

Related Topic