How do I implement group users with differnet permissions using mysql and php

Posted on 2012-09-02
Last Modified: 2012-09-06
Hi I am current working on a project as part of my study and I have to design a mySQL database for a high school P.E department, where there will be three user groups the students teachers and the administrator. The administrator needs to be able to grant the students of a certain form class permission for about an hour when they need to enter fitness results.

I am not really sure how I would go about implementing this so any help would be very much appreciated.
Question by:stumpboss
    LVL 9

    Expert Comment

    LVL 39

    Accepted Solution

    Not sure if I understand the question, but will describe some options for application privilege systems.

    From your description, it seems you could hardcode the security in your application, which is a lot easier than creating a dynamic privilege system. It would be something like this:

    You need a user table with username/password etc and a role: student, teacher or admin. This could be an ENUM field in the table:

    create user (
      role enum('student','teacher','admin') not null default 'student',

    Open in new window

    You need a login mechanism, and when a user is logged in, you know what role that user have by reading the user record. Something like this:

    if(!isset($_SESSION['userid'])) RedirectToLogin();
    $user = GetUser($_SESSION['userid']);
    if(!$user) {
      AdminEmail('Invalid userid in session: '.$_SESSION['userid']);
    if($user->role == 'admin') {
       # admin functionallity goes here
    if($user->role == 'teacher') {
       # teacher functionallity goes here
    if($user->role == 'student') {
       # student functionallity goes here

    Open in new window

    This should solve what you describe, but it would be problematic to add other roles later, like "janitor" or "secretary" or "moderator" or whatever, you would need to review all existing code to implement the new roles.

    An alternative that would give you a bit more flexibillity, would be to use a numeric code for the role:

    create user (
      role tinyint not null default 10,

    Open in new window

    Then you would define the roles in your application, for instance:


    Open in new window

    ...and you could "group" roles:

    if($user->role <= TeacherLevel) {  # admins & teachers
    if($user->role >= TeacherLevel) {  # teachers & students

    Open in new window

    ...and you can add new roles "between" existing roles, so that they are automatically included in old code with tests like above (i.e. using >= and <=, not ==).

    For a full blown application privilege system, you would need DB tables for users, groups and privileges, plus some tables to bind those entities to each other: user_groups, user_privs and group_privs is typical. You would also need an allow/deny mechanism with very clear rules, and possibly a "importance" property to weight different rules. A typical issue is when a user is a member of two groups, one group has a privilege and the other group is denied the same privilege... is the user allowed or denied?

    I won't go into more detail about this until I know more about what you need.

    Author Closing Comment

    Hey sorry about the slow response I've been away on business.

    Thanks for your solution it has given me excellent insight into how to go about it

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    More Fun with XML and MySQL – Parsing Delimited String with a Single SQL Statement Are you ready for another of my SQL tidbits?  Hopefully so, as in this adventure, I will be covering a topic that comes up a lot which is parsing a comma (or other…
    Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now