How to design Users, Roles and permission schema

databasepermissionsuser-roles

This is a very common thing in the web application developmet. I have done it number of times.

But I am stuck in my current project designing the schema for this.

The thing is my application will have three types of users in the begining e.g. SuperAdmin, Admin and the normal user.

I plan to have these user types as the roles like ROLE_SUPERADMIN, ROLE_ADMIN and ROLE_USER.

The system can have many roles. In fact SuperAdmin and Admins an create roles and assign those roles to users.

The problem is,

Super Admins will have permisson p1, p2 and p3.
Super Admins can create other super admins.
Super Admins can create admins.
Super Admins will not add users in the system.

Admins can have permissions p5,p6 and p7.
Admins can not create another admins.
Admins can create other users.
Admins can also create roles like say Report viewers.

Super admin with permission p1, p2 and p3 should be able to create Admins with permissions p5, p6 and p7. Which I am not quite getting.

Logically when Super admmins themselves do not have permission p5, p6 and p7, how can they create admins with these permissions?

Please help me out with the proper design with this.

Below is the design I have so far.

USER
UserID RoleID

ROLE
RoleID RoleName

PERMISSION
PermissionID PermissionName

ROLE_PERMISSION
RoleID PermissionID

Thanks.

Best Answer

This is a loaded question, setting up members, roles, etc. is no small feat. I suggest you take a look at already written libraries to see if they may suit your needs. What you should start googling for, is 'Access Control Lists' (acl) for short.

Related Solutions

Mysql – How to quickly rename a MySQL database (change schema name)

For InnoDB, the following seems to work: create the new empty database, then rename each table in turn into the new database:

RENAME TABLE old_db.table TO new_db.table;

You will need to adjust the permissions after that.

For scripting in a shell, you can use either of the following:

mysql -u username -ppassword old_db -sNe 'show tables' | while read table; \ 
    do mysql -u username -ppassword -sNe "rename table old_db.$table to new_db.$table"; done

for table in `mysql -u root -ppassword -s -N -e "use old_db;show tables from old_db;"`; do mysql -u root -ppassword -s -N -e "use old_db;rename table old_db.$table to new_db.$table;"; done;

Notes:

There is no space between the option -p and the password. If your database has no password, remove the -u username -ppassword part.
If some table has a trigger, it cannot be moved to another database using above method (will result Trigger in wrong schema error). If that is the case, use a traditional way to clone a database and then drop the old one:

mysqldump old_db | mysql new_db
If you have stored procedures, you can copy them afterwards:

mysqldump -R old_db | mysql new_db

Linux – How to use sudo to redirect output to a location I don’t have permission to write to?

Your command does not work because the redirection is performed by your shell which does not have the permission to write to /root/test.out. The redirection of the output is not performed by sudo.

There are multiple solutions:

Run a shell with sudo and give the command to it by using the -c option:
```
sudo sh -c 'ls -hal /root/ > /root/test.out'
```
Create a script with your commands and run that script with sudo:
```
#!/bin/sh
ls -hal /root/ > /root/test.out
```
Run sudo ls.sh. See Steve Bennett's answer if you don't want to create a temporary file.

Launch a shell with sudo -s then run your commands:

[nobody@so]$ sudo -s
[root@so]# ls -hal /root/ > /root/test.out
[root@so]# ^D
[nobody@so]$

Use sudo tee (if you have to escape a lot when using the -c option):
```
sudo ls -hal /root/ | sudo tee /root/test.out > /dev/null
```
The redirect to /dev/null is needed to stop tee from outputting to the screen. To append instead of overwriting the output file (>>), use tee -a or tee --append (the last one is specific to GNU coreutils).

Thanks go to Jd, Adam J. Forster and Johnathan for the second, third and fourth solutions.

Best Answer

Related Solutions

Mysql – How to quickly rename a MySQL database (change schema name)

Linux – How to use sudo to redirect output to a location I don’t have permission to write to?

Related Topic