Storing and assigning user rights within an application with an unknown number of plugins

Posted on 2007-07-28
Last Modified: 2012-05-05
I have an application that uses 0 or more plugins, but I need to assign user rights for access to various parts of the application and then iterate those rights to show or hide / enable or disable / modify menu and UI items appropriately.  At the moment users can log in, but only have three levels: basic user, power user, administrator.  Anyone with Administrator priveleges can access anything so that is easy enough and short circuits the need to deal with other checks.

All other users, though, may need to be allowed to access part of the system on a read only, read and write, or some other combination such as can add but cannot delete.

In trying to determine the best way to store and process this information I have considered a bitwise value, but that only provides 64 permissions and I have no way of knowing how many may be required.

Given that the application uses plugins the plugins need to store some sort of rule that determines who can do what which the host application can then impleent.

Can anybody give me some advice about implementing this type of structure?

Chris Bray.
Question by:chrisbray
    LVL 29

    Expert Comment

    by:Gautham Janardhan
    something like this might be feasible

    say u number ur entities(ur addons) say

    Addon - 1 is 100
    addon -2 is 200
    and so on

    and for each add on u will have privilege from 1-99

    like 101 - 199;

    then for each user u can store the privileges in a string list

    usera -   101,102,201,202,203,204,105,109
    userb -  301,302,201,302,203,304,105,309 ,401

    LVL 7

    Accepted Solution

    This is a very common problem you are facing.
    The implementation I have seen the most is the following:
    In a database(see this large, can be oracle, flat text file, hard coded, progesql, ...) there is stored the following data (i will use database notations to clear this up)
    Table UserGroups

    Table Users

    Table Plugins

    Table Rights
    --> those rights can be stored in a byte but this is very unhandy if you want to adjust rights afterwards or want to quickly correct some errornous rights - it's difficult to see errors at a quick glance

    In your application if someone logs in, you load the rights in a commonly visible object (static). Since you have only one user active (mostly - otherwise you just extend the system) you put all the rights in a hashtable (pluginname, rights). When you need to show a menu item of a plugin, you ask the rights to the hashtable (very fast operation) and you do the appropriate action.

    You have now some scenario's to consider.
    - The user that is logging on has no rights assigned. Most of the time when this happens, and a user can perform a valid login, you give him the rights from an "everyone" user group.
    - You have a plugin that has no rights assigned, mostly you give the current user all the rights
    --> those two scenario's limit the amount of data you need to keep inside your rightsmanagement system
    You can implement the property in a way that this system is transparent. The object returning the rights, should always returns a right following the system above, that way the rest of your program just blindly follows the rights that are given.

    A very tight structure to put the rights into in the hashlist is:
    struct Rights // yes, structs do exist in C#, they are valuetypes!
    bool Visible;
    bool Read;
    bool Write;
    bool Delete;
    bool Audit;

    The most general way to make the rights available is, if you can make a call like:
    Rights r = RightsManager.User["user"].Rights["Plugin"];
    --> since you have only one user, you can make the User prop a simple array, but it provides easy extention for cases where more users can exist (e.g. execute a module with elevated rights)

    Kind regards,
    LVL 3

    Author Comment

    Hi Bob,

    Illusio gave a good answer, but not necessarily what I was looking for.  Again, I was sincerely hoping for some more input from other experts....

    That said, the suggestion was valid and I feel that perhaps some or all of the points on a B grade would be appropriate in this situation.  Please advise if you feel this would fit in with the ethos and rules of EE.

    Chris Bray.
    LVL 7

    Expert Comment

    Hi Chris,

    Maybe you can comment on the ideas given and I can give further ideas and advise. There are some more solutions possible. The design I've lead out is a general one - usable in almost any case. For me the safest suggestion to start with since I don't know your specific situation in detail.

    Maybe you can give some upper limits and minimum requirements.

    Kind regards,
    LVL 7

    Expert Comment

    Oh - grade of B is good for me - I'm not really in it for the points, just for the helping.

    LVL 3

    Author Comment

    Hi Illusio,

    To be honest I have passed your suggestion to one of my co-developers but due to family illness on my part and holidays on his we have not yet had an opportunity to review your suggestion in detail in comparison with the project.  Unfortunately that part of the project is more his responsbility so whilst I can ask the question and suggest he will have to make sure that your suggestion does not clash with whatever else he is coding.

    We were certainly thinking of storing permissions for individuals rather than user groups, and the solution needs to be scalable.  Your suggestion is not (yet) a complete solution but may well lead to one once we review it in context, and hopefully that review will take place tomorrow.  I suggest that I ask him to review that before our meeting and I will come back and ask any further questions or request more assistance if required.  

    I do feel that your answer deserves points rather than deletion, and thank you for both your help so far and your offer of further assistance.

    Chris Bray.
    LVL 3

    Author Comment

    Hi Peter

    After all that my colleague is now ill and not fit for our coding review today!!  However, he has reviewed the suggestion youput forward and says that with modification it is workable for our purposes.  I therefore propose to assign you the points as described above and thank you for your efforts.

    If we come across any further issues I will post another question which hopefully you will spot and be able to answer.

    Chris Bray.

    Featured Post

    Gigs: Get Your Project Delivered by an Expert

    Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

    Join & Write a Comment

    Introduction This article series is supposed to shed some light on the use of IDisposable and objects that inherit from it. In essence, a more apt title for this article would be: using (IDisposable) {}. I’m just not sure how many people would ge…
    Calculating holidays and working days is a function that is often needed yet it is not one found within the Framework. This article presents one approach to building a working-day calculator for use in .NET.
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now