rbac and row level permissions
Posted on 2009-05-06
I have been much reading on rbac. A typical rbac sql database schema is described to have...
Users -> Roles -> Permissions structure that act on objects (ie. tables) in a database. This I am fine with (I think)
My question is about permissions given to each row in a resource like tblNews table in order to protect it. So from a Users perspective...
Users Permission = I can edit each row in the tblNews table where the assigned editors of any row are USERTYPE_X
and from the tblNews perspective...
tblNews Permission = This rows editors are USERTYPE_X and USERTYPE_Y
i.e. the data in any one row of a resource is itself protected by a combination of PermissionType (CAN_EDIT_NEWS) and UserType (Club Secretary).
So, rather than a table get protected, it is each row that gets protected.
I hope this makes sense and if you know where I am trying to get to I will appreciate any thoughts and feedback.