Search:   Namespaces Discussions .NET v1.1 Feedback

Need opinion on a design... Messages   Related Types This message was discovered on ASPFriends.com 'aspngarchitecture' list. RTaylor@datastarusa.com I hope this is the best group for this, if it is not, please let me know if there are any others. I'm working on a new work order system for my company. I'm basically converting most of our on-line system that is currently done in Cold Fusion and the rest from a Lotus Notes system (I would like to kill this one as quickly as possible). I'm starting the foundation level of the system and wondering if I am going about the best way to start this project out. Problem #1: Different groups need different access to fields within a table. Problem #2: Business rules sometimes will need to override field access. (I.E. Operations can't change anything after sending the work order to accounting). My Solution: Create a SingleElementDB class for items like Users, Work Orders, Sites, ect. On initiation, it queries a set of tables that returns what access level is granted for each field from that table. If needed the class that inherits this base object will call a business layer that will override the users usual field rights for this particular record from the table. Then it dynamically creates the SQL call to pull only the fields that the user has rights to (so I can't use stored procedures well) and stores the results into a dataset. To access values for this object, I have GetValue(FieldName) and SetValue(FieldName). The SetValue function checks the field level rights to see if the user is allowed to make changes to that field. Because field rights change from user to user, it seems impossible to create a hard typed object for each table. Also, this design makes it possible for me to add fields to the database and then access them from the presentation layer with out having to recode anything in the object. When saving back to the database, I simply look at the dataset for changes, check field permissions and dynamically create the SQL call to update/add the values to the database (again store procedures don't seem to fit because the fields can be different). Issue #1: What type of overhead am I going to run into since each object that I'm calling would have it's own dataset internal to it. I'm only expecting a few hundred users at most at a time, so I'm thinking about storing the objects in memory between http calls to minimize database and CPU usage if I reload the objects on each call. Issue #2: Since the object is not hard typed, then it will not be as optimized, but development time is drastically cut down. I really want to get this project started off on the right foot and I think that someone else might be doing something similar or would at least have some interest in my idea for a generic SingleElement database object. Sorry for this lengthy note, but I'm trying to get most of my ideas on this out so that if anyone is interested or has comments, then there would be plenty to talk about. I would like to get as many opinions about this as possible to know if I'm doing something crazy or just entering uncharted waters. Thanks Again, --->Robert Reply to this message...        Dave Cline Permissions - what a concept. First off - I would get away from user based permissions if I could - go role based. (Accounting can seen SSN and Operations cannot rather than Bob can seen SSN but Bill cannot) Nobody wants to maintain 200-500 table fields for 200 users anyway. Maintenance for 5-10 roles is tolerable. Moving forward, a business scenario might be: 1. Accounting and Personnel CAN VIEW ssn 2. Operations CANNOT VIEW ssn 3. Accounting and Personnel CAN ADD ssn 4. Only Accounting can EDIT or DELETE ssn 5. No one can EDIT ssn while Payroll is being run for the week So we have: VIEW rights, ADD rights, EDIT rights DELETE rights, OVERRIDE rights for each of the above rights - For each field in each table in your database So we have a truth table: ROLE VIEW ADD EDIT DELETE table field Personnel - x x o o person ssn Accounting - x x x x person ssn Operations - x o o o person ssn ... You could define a special ROLE for OVERRIDE which would blanket the other roles: OVERRIDE x o o o person ssn You could determine if OVERRIDE was inplace and apply this role in combination with the role passed for validation: OVERRIDE + Personnel = xooo (bitwise AND) All of this would happen in your PermissionsEngine. A way to speed up the data retrievial and update would be to apply this PermissionEngine at the business layer rather than the database layer. A data fetch (through a stored proc perhaps) would return all the necessary fields. The PE would then filter out the ones which the user should see/edit. You're going to need some engine at the biz layer to allow a role to view a field but not edit it... Either way you could also cache the Permissions table by creating a HashTable using the ROLE_ID,TABLE_NAME,FIELD_NAME as a key and either an array or datarow as the hash object. This would let you quickly retrieve the permissions for any user, table, field. Cache this someplace semi-permanent. I'm not up on the objectification of something like this - and would be curious as to how to color such a permissions engine is, oh, light object... -- Dave Cline Click here to reveal e-mail address www.bangeye.com/ 801-796-3413 ---- Click here to reveal e-mail address wrote: [Original message clipped] Reply to this message...        RTaylor@datastarusa.com Dave, Thanks for your input! I was hoping to get more than one response out of the 2800 people on this list... My design is for role based security, so not to worry about that part. Just about everything you stated is in line what I am thinking, but my main concern is with my concept for such a global type object. I just can't imagine that I'm the only one thinking of this type of concept and someone might have traveled this road before me. Any other opinions? --->Robert "Dave Cline" <davecline@on To: "aspngarchitecture" <Click here to reveal e-mail address> ebox.com> cc: Subject: [aspngarchitecture] Re: Need opinion on a design... 07/06/2002 04:07 PM Please respond to "aspngarchite cture" Permissions - what a concept. First off - I would get away from user based permissions if I could - go role based. (Accounting can seen SSN and Operations cannot rather than Bob can seen SSN but Bill cannot) Nobody wants to maintain 200-500 table fields for 200 users anyway. Maintenance for 5-10 roles is tolerable. Moving forward, a business scenario might be: 1. Accounting and Personnel CAN VIEW ssn 2. Operations CANNOT VIEW ssn 3. Accounting and Personnel CAN ADD ssn 4. Only Accounting can EDIT or DELETE ssn 5. No one can EDIT ssn while Payroll is being run for the week So we have: VIEW rights, ADD rights, EDIT rights DELETE rights, OVERRIDE rights for each of the above rights - For each field in each table in your database So we have a truth table: ROLE VIEW ADD EDIT DELETE table field Personnel - x x o o person ssn Accounting - x x x x person ssn Operations - x o o o person ssn ... You could define a special ROLE for OVERRIDE which would blanket the other roles: OVERRIDE x o o o person ssn You could determine if OVERRIDE was inplace and apply this role in combination with the role passed for validation: OVERRIDE + Personnel = xooo (bitwise AND) All of this would happen in your PermissionsEngine. A way to speed up the data retrievial and update would be to apply this PermissionEngine at the business layer rather than the database layer. A data fetch (through a stored proc perhaps) would return all the necessary fields. The PE would then filter out the ones which the user should see/edit. You're going to need some engine at the biz layer to allow a role to view a field but not edit it... Either way you could also cache the Permissions table by creating a HashTable using the ROLE_ID,TABLE_NAME,FIELD_NAME as a key and either an array or datarow as the hash object. This would let you quickly retrieve the permissions for any user, table, field. Cache this someplace semi-permanent. I'm not up on the objectification of something like this - and would be curious as to how to color such a permissions engine is, oh, light object... -- Dave Cline Click here to reveal e-mail address www.bangeye.com/ 801-796-3413 ---- Click here to reveal e-mail address wrote: [Original message clipped] | [aspngarchitecture] member Click here to reveal e-mail address = YOUR ID | http://www.asplists.com/asplists/aspngarchitecture.asp = JOIN/QUIT | http://www.asplists.com/search = SEARCH Archives Reply to this message...     Ad MBR BootFX Best-of-breed application framework for .NET projects, developed by Matthew Baxter-Reynolds and MBR IT

Copyright © Matthew Baxter-Reynolds 2001-2008. '.NET 247 Software Development Services' is a trading style of MBR IT Solutions Ltd. Contact Us - Terms of Use - Privacy Policy - www.dotnet247.com