Software Engineering Stack Exchange
Software Engineering Stack Exchange

Questions tagged [permissions]

94 questions
69
votes
3 answers

Role vs Permission Based Access Control

I'm trying to understand the inherent tradeoff between roles and permissions when it comes to access control (authorization). Let's start with a given: in our system, a Permission will be a fine-grained unit of access ("Edit resource X", "Access the…
smeeb
  • 4,820
  • 10
  • 30
  • 49
56
votes
11 answers

What is meant by, "A user shouldn't decide whether it is an Admin or not. The Privileges or Security system should."

The example used in the question pass bare minimum data to a function touches on the best way to determine whether the user is an administrator or not. One common answer was: user.isAdmin() This prompted a comment which was repeated several times…
GlenPeterson
  • 14,890
  • 6
  • 47
  • 75
52
votes
5 answers

What's the word for an operation that can be applied multiple times and never change state beyond the initial application?

I'm trying to remember a word, I think it's related to computational or database theory. The closest synonym is atomic but that's not exactly it. Basically it's a kind of computation that should produce the same result even when run multiple times…
Mark Fox
  • 726
  • 1
  • 5
  • 10
36
votes
3 answers

Implementing DDD: users and permissions

I am working on a small application trying to grasp the principles of domain-driven design. If successful, this might be a pilot for a larger project. I'm trying to follow the book "Implementing Domain-Driven Design" (by Vaughn Vernon) and trying to…
LittlePilgrim
  • 473
  • 1
  • 4
  • 8
31
votes
6 answers

Dynamic Code Evaluation in Java - Clever or Sloppy?

I am trying to create a flexible ACL framework in Java for my application. Many ACL frameworks are built on a whitelist of rules, where a rule is in the form of owner:action:resource. For example, "JOHN can VIEW resource FOOBAR-1" "MARY can VIEW…
Twittopher
  • 413
  • 4
  • 5
30
votes
2 answers

How to design role based access control?

I am trying to follow the role bases access control model to restrict what users can or cannot do in my system. So far I have the following entities: users - People who will use the system. Here I have usernames and passwords. roles - Collection…
imran.razak
  • 379
  • 1
  • 3
  • 10
30
votes
6 answers

Where should user permission checks take place in and MVC and by who?

Should user permission checks take place in the model or the controller? And who should handle the permission checks, the User object or some UserManagement helper? Where should it happen? Checking in the Controller: class MyController { void…
kba
  • 976
  • 2
  • 10
  • 19
19
votes
1 answer

What is a suggested roadmap towards implementation of a simple Attribute-based access control (ABAC)?

When reading about ACL and RBAC I seem to understand it easily - there are either usernames or roles that are given access to an asset. I can also see how I could implementing those. i.e. this image gives a clear view of ACL and RBAC for me (as in…
Dennis
  • 8,157
  • 5
  • 36
  • 68
13
votes
8 answers

Punishing users for insecure passwords

I'm thinking about limiting the rights of users who choose insecure passwords (insecurity of a password being determined by length, how many types of characters (upper/lower case, numbers, symbols, etc.) are used, and whether it can be located in a…
Carson Myers
  • 2,480
  • 3
  • 24
  • 25
9
votes
3 answers

How to cleanly implement permission based feature access

I have been tasked with writing an on/off control for features in our product based on who is signed in, in principle with one on/off flag for each feature. Put simply, this is a permission based feature access that can be activated at the user…
zzelman
  • 219
  • 2
  • 3
8
votes
4 answers

Correct Way to Implementing Authorization Checks in ASP MVC

In ASP MVC we have the Authorize attribute to perform check at either a controller level or at a controller method level. But what if you need to do check permissions inside a controller method e.g let say your doing some update or create action to…
adam78
  • 291
  • 3
  • 9
7
votes
2 answers

Examples of permission-based authorization systems in .NET?

I'm trying to figure out how to do roles/permissions in our application, and I am wondering if anyone knows of a good place to get a list of different permission-based authorization systems (preferably with code samples) and perhaps a list of…
Rachel
  • 23,979
  • 16
  • 91
  • 159
7
votes
4 answers

How can I create and manage permissions more dynamically?

I want to implement a security system into my web-based Intranet application which allows security administrators to 'fine-tune' exactly what type of access a user/role has to an object. For example, an ACL-based solution might allow a receptionist…
boatingcow
  • 431
  • 3
  • 10
7
votes
5 answers

Filesystem like permissions for C++ type-members

Abstract (tl;dr) Please read the full question, this is awfully simplified: How can unix file permission style restrictions be applied to inter-type data/control flows, allowing fine-grained access to some class-members for some groups of…
bitmask
  • 879
  • 2
  • 8
  • 19
6
votes
1 answer

How can I clearly present specifications for user permission levels?

I need to write specifications for permissions levels on a system. There are two types of user (Viewer and Editor). Everything a Viewer can do, an Editor can also do. An Editor’s permissions build on those of a viewers. I now need to present these…
Tim
  • 202
  • 1
  • 12
1
2 3 4 5 6 7