>>template and then let the template know whether or not it can go ahead >>and perform the requested entitlement. > > > I think this is where I'm losing you. I see no difference between "groups" > and "tasks" in this.
Ok, I think I figured out where we're getting mixed up. I come from windows administration land, so I am thinking about the setup a bit differently. When I say groups, I mean that I am creating real groups w/ group IDs in a database table and assigning users to those groups. I am not talking about logical groupings of users and calling those groupings "roles" or "entitlements" - those are two different things and I think that's where we're getting mixed up. I have specifically created tables that keep track of what users are part of what groups. So, here are some of my groups: Administrators Message Mods Organization Mods Users Public Users are then assigned into each of those groups utilizing a many-to-many relationship. I can then assign groups to resources instead of assigning individual users to resources. This is standard windows administration practice because it makes for easier user admin. Now whether this is the best strategy for web app security, that's another thing, but I'm giving it a try anyways. Now, my basic system currently works like this. I have a table that stores all the files on my site (they are uniquely named) and what groups are allowed to access each of those files. When a user requests a file, my cf_security tag (which is inserted at the beginning of every template) does a lookup to see what groups are allowed to access that file and then if the user is a member of one of those groups, it allows the user to access the file. If not, it will halt execution and go to an "access denied" template. Now, the only real permission (using windows lingo) that any user has with my basic system is execute. They either have permission to execute the file or not. Taking this a step further, I wanted to allow myself to assign other permissions (read, write, display, concatenate, jump, fly, whatever) to templates based on the actions that those templates might perform. So, in the user template, I need to edit/modify/delete users, and in the message template, I need to edit/post/delete messages. I wanted to take those permissions and bring control of each of them into the security system and allow myself to assign groups to *each* of those permissions on a per-template basis to really granularize the system. So, when a template is built, permissions need for that template are registered in the database and access is controlled by assigned groups to each of those permissions for that template. Is it overkill, maybe, maybe not. It's obviuosly not overkill for windows because people use file-level permissions all the time. I'm building a big application that is going to need a lot of different security contexts so making it very flexible and robust is key. Now, In my other emails I've gone over the nitty gritty of how I've programmed my current system and how I plan to program my newer concept, but the description above is the overall idea of how it will work. The ultimate goal here is to have a central security system where every permission in every template can be manged from a GUI. There will be no references to users or groups within the templates that are doing the actual processing. All the template cares about is whether it has permission to do something or not, and it's the cf_security tag (inserted at the top of every template) that tells the template what it's allowed to do (based on the pre-registered permissions for that template). Mike ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:217385 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
