?
Solved

application access control

Posted on 2013-12-02
2
Medium Priority
?
367 Views
Last Modified: 2013-12-03
For any in house built applications where their is an authentication process (i.e. username and password), and where access to the app should be tied down to only what the other needs to see, i.e. their account, team area of an application etc, where is access control typically designed. Lets for argument sake say its a text based records in the app, where do you develop your access logic in the app, is this at underlying database level, or within your code, or within both? how do you prevent them breaking out their area of the app, i.e. messing with object references to see if they can get to anothers area of the app/account

if for example you needed to demonstrate to an auditor that your app properly limits access to data based on "need to know" principles, how would you go about demonstrating this? where would you pluck the evidence from?

I appreciate this is very vague I was just intrigued where the access control is designed, and at what level of the apps stack
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 7

Accepted Solution

by:
dimmergeek earned 1000 total points
ID: 39691068
On our Intranet application we use Active Directory.  User puts his/her AD username and password in, and we create a list of groups that user is in.  We set access to pages and apps using AD groups.  If you're not a member of SG-IntraAPPS-SeeSalesDollars, then you cannot see the link that takes you to our sales dollars page.  Even if someone gave you the exact URL, we perform user authentication on over page (an include file that checks for a session variable)
0
 
LVL 33

Assisted Solution

by:Big Monty
Big Monty earned 1000 total points
ID: 39692732
there's multiple ways to setting up user security. AD is one way, and it is very secure. Other apps may control the access via the database, You  may have a users table, with encrypted passwords, and then you may have a permissions table, which stores the level of access they have with the userID. Going that route, you would then need to check the user access on each page.
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Your data is at risk. Probably more today that at any other time in history. There are simply more people with more access to the Web with bad intentions.
In this article, I’ll look at how you can use a backup to start a secondary instance for MongoDB.
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question