Applying Linux Group Ideology to Web Applications

action_owl · 12-02-2010, 04:23 PM

I have built a database driven web application that has a user and group system that works in a similiar way that Linux handles user access.

Breif explanation:

A users can access various resources, the resources are assigned to a single group and users can have many groups.

Users

Code:

id   name
--   -------
1    RedRanger	
2    GreenRanger
3    BlueRanger

Group Assignment

Code:

user	group
----	-----
1       33
1	44
1	55
2	33
2	44
3	33
3	44
3	55
3	66

Group description

Code:

gid	name
---	----
33	user
44	things
55	stuff
66	foo

Resource

Code:

name	group
----	-----
a	33
b	33
c	33
x	44		
y	55
z	66

RedRanger can access a, b, c, x and y but not z
GreenRanger can only access a, b, c and x
BlueRanger can access a, b, c, x, y and z

Lets say that RedRanger needs to be denied access to resource a

if I remove him from group 33 he can no longer access b or c which is no good.

The only alternative is to change a's group and add everyone else to the new group, this isn't so bad for 3 users, but what about 3,000?

If this situation occurs often there will soon be a mess of groups.

What is the best approach to this problem?

Thanks!

David1357 · 12-02-2010, 05:40 PM

Quote:

Originally Posted by action_owl

The only alternative is to change a's group and add everyone else to the new group, this isn't so bad for 3 users, but what about 3,000?

If you automate the process, then the number should not matter.

Quote:

Originally Posted by action_owl

If this situation occurs often there will soon be a mess of groups.

With your plan, if you have a mess of resources, then you need a mess of groups. If you rename "group" to "resource_id", then it might not feel like such a mess.