Quote:
Originally Posted by mjlecomte
Thanks, that's great.
I'm new to access control, and "RBAC" seems to be what I am looking for. I was wondering if you could briefly state pros or cons or limitations or recommendations of 3 designs:
1. this one
2. phpGACL ( PHP Generic Access Control Lists)
3. radicore ( A Role-Based Access Control (RBAC) system for PHP)
#3 has a RBAC wrapped up inside a framework, and there is a licensing issue. So I may not be able to use that one, despite any merits of the logic (although Tony appears to have a sizeable background designing these things so I hate to dismiss it outright).
Whichever one I end up with I plan to port to CodeIgniter.
Thanks for any thoughts you may have. |
I am aware of both these systems, but cannot give a detailed analysis of them since I only looked at them briefly about 2 years ago .... so some things may have changed.
At the time I was looking for a RBAC framework and downloaded/installed phpGACL. I played around with it, read the documentation but (call me slow if you like ;-) I just couldn't see how to make it work for my situation. It was actually after spending some time trying to understand the intricacies of phpGACL that I decided to make RBAC_bv.
Concerning Radicore, I remember reading Tony's pages and found them interesting. A lot of his work is worth reading, even if it is just to get a different perspective on tackling a problem.
The main aim I had when making RBAC_bv was that it had to be conceptually easy to understand and still flexible.
It had to be fast and efficient and cater to simple as well as complex situations alike.
90% of web apps only need simple role based access control mechanisms to deal with a user who has just logged in, such as 'is the user a member?' or 'is the user an administrator?'
Basically we just want to determine the role of a user. (i.e. member, admin, moderator etc...). RBAC_bv can do that very quickly.
If you look at the picture of the database design on the first post of this thread you will see that the whole design follows a pyramid structure with the roles defined at the top and the finer details defined at the bottom. So in essence you can drill down the pyramid to get finer and finer permission classification for the user.
RBAC_bv allows you to query the database at any point and retrieve all the information you need with just one query.
For example, you can find out with just one query:
- all the roles assigned to a user
- all the privileges assigned to a role
- all the domains assigned to a role
- all the actions assigned to a privilege
- all the objects assidned to a domain
which means you can also determine with just one query:
- all the actions a user can perform or not perform on any object.
conversely you can also find out quickly which users have a certain role and therefore which users can perform a certain action on a given object.
The key however to all this working nicely is taking time to think through the actions and objects you will be dealing with and grouping them appropriately together.
So in summary the advantages would be:
- Easy to understand (I hope ;-)!
- Easy to extend
- Can be used as a fine grained or coarse grained RBAC framework depending on your requirements
- Efficient and fast (However I have never run tests to see how it compares in speed to the other systems... any takers?)
- BSD license
Disadvantages:
- Not polished. The main purpose of this thread is really to share an idea, a concept that others can take and improve upon. That is why all the code is released under the BSD license. So don't consider RBAC_bv unless you are willing to get your hands durty ;-)
For anyone wanting to integrate RBAC_bv into their own framework, I would be glad to help in any way I can.