user control - permissions - roles

Hi all i'm looking for any example how to create an user control with roles permissions... like Administrator is God, Managers could insert and change, SK8er Boy could only view certain aspects from appl.... Please do you have any example? Thanx in advance. -- ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm

easiest way is in your usertable, where you store usernames/passwords, have a roleId, and then when they login and you process the login information, you can set a session variable, that is their roleId, and then base some permissions around that value. how? you can cfif yourself to death, <cfif session.roleId eq 1> You are god <cfelseif session.roleId eq 2> Your are a demi-god <cfelseif session.roleId eq 3> You are a sk8r boy <cfelseif session.roleId eq 0> You are sysadmin </cfif> I always like to keep roleID 0 for "Omniscient Role" where you are not only the top level, but you are something bigger, code changer, etc. Then you can rollup permissions too.... <cfif session.roleId lte 1>   You are here, because you are a god or demi god <cfelseif session.roleId lte 3>   You are here, because you are a demi-god, god, or peon </cfif> anyway, you get the point. :) tony Hi all i'm looking for any example how to create an user control with roles permissions... like Administrator is God, Managers could insert and change, SK8er Boy could only view certain aspects from appl.... Please do you have any example? Thanx in advance. -- ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm

Thanx good... great job... but the thousands cfif's still need? Thanx for your time. easiest way is in your usertable, where you store usernames/passwords, have a roleId, and then when they login and you process the login information, you can set a session variable, that is their roleId, and then base some permissions around that value. how? you can cfif yourself to death, <cfif session.roleId eq 1> You are god <cfelseif session.roleId eq 2> Your are a demi-god <cfelseif session.roleId eq 3> You are a sk8r boy <cfelseif session.roleId eq 0> You are sysadmin </cfif> I always like to keep roleID 0 for "Omniscient Role" where you are not only the top level, but you are something bigger, code changer, etc. Then you can rollup permissions too.... <cfif session.roleId lte 1>   You are here, because you are a god or demi god <cfelseif session.roleId lte 3>   You are here, because you are a demi-god, god, or peon </cfif> anyway, you get the point. :) tony Hi all i'm looking for any example how to create an user control with roles permissions... like Administrator is God, Managers could insert and change, SK8er Boy could only view certain aspects from appl.... Please do you have any example? Thanx in advance. -- ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm

its up to you, really. I guess you could cfcase/cfswitch it, as well. tw Thanx good... great job... but the thousands cfif's still need? Thanx for your time. easiest way is in your usertable, where you store usernames/passwords, have a roleId, and then when they login and you process the login information, you can set a session variable, that is their roleId, and then base some permissions around that value. how? you can cfif yourself to death, <cfif session.roleId eq 1> You are god <cfelseif session.roleId eq 2> Your are a demi-god <cfelseif session.roleId eq 3> You are a sk8r boy <cfelseif session.roleId eq 0> You are sysadmin </cfif> I always like to keep roleID 0 for "Omniscient Role" where you are not only the top level, but you are something bigger, code changer, etc. Then you can rollup permissions too.... <cfif session.roleId lte 1>   You are here, because you are a god or demi god <cfelseif session.roleId lte 3>   You are here, because you are a demi-god, god, or peon </cfif> anyway, you get the point. :) tony Hi all i'm looking for any example how to create an user control with roles permissions... like Administrator is God, Managers could insert and change, SK8er Boy could only view certain aspects from appl.... Please do you have any example? Thanx in advance. -- ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm

heck. what am I thinking? isnt there a isUserInRole() function in cf, that will check that kinda stuff to? to all list people:  in your role based security applictions, how have you done it? with isUserInRole(), and cflogin, etc? tw its up to you, really. I guess you could cfcase/cfswitch it, as well. tw Thanx good... great job... but the thousands cfif's still need? Thanx for your time. easiest way is in your usertable, where you store usernames/passwords, have a roleId, and then when they login and you process the login information, you can set a session variable, that is their roleId, and then base some permissions around that value. how? you can cfif yourself to death, <cfif session.roleId eq 1> You are god <cfelseif session.roleId eq 2> Your are a demi-god <cfelseif session.roleId eq 3> You are a sk8r boy <cfelseif session.roleId eq 0> You are sysadmin </cfif> I always like to keep roleID 0 for "Omniscient Role" where you are not only the top level, but you are something bigger, code changer, etc. Then you can rollup permissions too.... <cfif session.roleId lte 1>   You are here, because you are a god or demi god <cfelseif session.roleId lte 3>   You are here, because you are a demi-god, god, or peon </cfif> anyway, you get the point. :) tony Hi all i'm looking for any example how to create an user control with roles permissions... like Administrator is God, Managers could insert and change, SK8er Boy could only view certain aspects from appl.... Please do you have any example? Thanx in advance. -- ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm

<cflogin> isn't flexible enough for me.  You have limited control over your querying of that data...only the functions provided in CF.  I do a user table, a role-name table and a user-role table.  The user table holds basic user info.  The role-name table holds info about the role (name, description, etc).  The user-role table ties the two together. This allows the person to have multiple roles.  Then, I just code in my app that certain role-ids can do certain things.  I've also done it where the roles are numbered 0, 0,10, 20, 30, 40, 50 ,60,70,80,90 and then if you need to create specific roles for certain sections of the site, you can do it in between the existing roll numbers.  Then you can just check <cfif userRole GT 60> to see if the person is above 60 and if so, that means they can do this certain thing, or you can check <cfif userRole GT 90 or userRole EQ 43> to see if the user is an admin or if they have a specific role to let them do this one thing. John heck. what am I thinking? isnt there a isUserInRole() function in cf, that will check that kinda stuff to? to all list people:  in your role based security applictions, how have you done it? with isUserInRole(), and cflogin, etc? tw its up to you, really. I guess you could cfcase/cfswitch it, as well. tw Thanx good... great job... but the thousands cfif's still need? Thanx for your time. easiest way is in your usertable, where you store usernames/passwords, have a roleId, and then when they login and you process the login information, you can set a session variable, that is their roleId, and then base some permissions around that value. how? you can cfif yourself to death, <cfif session.roleId eq 1> You are god <cfelseif session.roleId eq 2> Your are a demi-god <cfelseif session.roleId eq 3> You are a sk8r boy <cfelseif session.roleId eq 0> You are sysadmin </cfif> I always like to keep roleID 0 for "Omniscient Role" where you are not only the top level, but you are something bigger, code changer, etc. Then you can rollup permissions too.... <cfif session.roleId lte 1>   You are here, because you are a god or demi god <cfelseif session.roleId lte 3>   You are here, because you are a demi-god, god, or peon </cfif> anyway, you get the point. :) tony Hi all i'm looking for any example how to create an user control with roles permissions... like Administrator is God, Managers could insert and change, SK8er Boy could only view certain aspects from appl.... Please do you have any example? Thanx in advance. -- ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm

The body of your email message is over 100 lines. Unless you are a major writer, your probably adding a lot of the previous replies. Please trim your posts when replying. Thank you.                  <cflogin> isn't flexible enough for me. You have limited control over your querying of that data...only the functions provided in CF.  I do a user table, a role-name table and a user-role table.  The user table holds basic user info.  The role-name table holds info about the role (name, description, etc).  The user-role table ties the two together. This allows the person to have multiple roles.  Then, I just code in my app that certain role-ids can do certain things.  I've also done it where the roles are numbered 0, 0,10, 20, 30, 40, 50 ,60,70,80,90 and then if you need to create specific roles for certain sections of the site, you can do it in between the existing roll numbers.  Then you can just check <cfif userRole GT 60> to see if the person is above 60 and if so, that means they can do this certain thing, or you can check <cfif userRole GT 90 or userRole EQ 43> to see if the user is an admin or if they have a specific role to let them do this one thing. John

Thanx John but using your suggestion maybe our code will become very hard to maintain... Look this: <cfif UserRole is 34 OR UserRole is 56> Click here to edit this record </cfif> <cfif UserRole is 67 OR UserRole is 81> Click here to delete this record </cfif> Why you don't use Group Roles? Thanx once more again The body of your email message is over 100 lines. Unless you are a major writer, your probably adding a lot of the previous replies. Please trim your posts when replying. Thank you.                  <cflogin> isn't flexible enough for me. You have limited control over your querying of that data...only the functions provided in CF.  I do a user table, a role-name table and a user-role table.  The user table holds basic user info.  The role-name table holds info about the role (name, description, etc).  The user-role table ties the two together. This allows the person to have multiple roles.  Then, I just code in my app that certain role-ids can do certain things.  I've also done it where the roles are numbered 0, 0,10, 20, 30, 40, 50 ,60,70,80,90 and then if you need to create specific roles for certain sections of the site, you can do it in between the existing roll numbers.  Then you can just check <cfif userRole GT 60> to see if the person is above 60 and if so, that means they can do this certain thing, or you can check <cfif userRole GT 90 or userRole EQ 43> to see if the user is an admin or if they have a specific role to let them do this one thing. John

I would recommend using permission objects-base framework over roles-based.   Problem with relying on roles is that when you need to allow another role to insert or update, you have to go through the templates where  inserts or updates are referenced and change the code.  Very inflexible.  But if you're using permision objects-based model, you assign that object id to any number of roles, and if the loggin user has the role which contains that ID, then access is granted.   You can write a udf that could do something like this. <cfif isAllowed("update user record")> show update link here </cfif> Any user who has the security role that has this ID will pass the test.  You can revoke a permission right from a role by simply removing that object id from the role. Nick Han >>> spectrum@post.com 05/21/04 12:18PM >>> Hi all i'm looking for any example how to create an user control with roles permissions... like Administrator is God, Managers could insert and change, SK8er Boy could only view certain aspects from appl.... Please do you have any example? Thanx in advance. -- ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm

[Original message]<<<<I would recommend using permission objects-base framework over roles-based.  Problem with relying on roles is that when you need to allow another role to insert or update, you have to go through the templates where inserts or updates are referenced and change the code.  Very inflexible. But if you're using permision objects-based model, you assign that object id to any number of roles, and if the loggin user has the role which contains that ID, then access is granted.   You can write a udf that could do something like this. <cfif isAllowed("update user record")> show update link here </cfif>>>>> Nick, I'm trying to understand how this would appear in practice.   Does this mean you'd have a table of authority levels or groups, a table of things they could do, and a many-many table linking them together?    In which case a user would have a record in the user table,   a number of records in the user-groups table linking the user to one or more groups? Is this how it would be?: Tbl_USERS  (All user information) Userid Username etc Tbl_GROUPS  (Group names) GroupID Groupname Tbl_AUTHORITYLEVELS (Authority Levels) AuthorityLevelID Authorityname Tbl_TASKS  (The tasks different groups can perform) TaskID TaskName Tbl_USERSGROUPS  (allocates users to groups) UserGroupID UserID GroupID Tbl_GROUPAUTHORITIES  (allocates authority levels to different groups) GroupAuthorityID GroupID AuthoritylevelID Tbl_TASKSAUTHORITIES  (Allocates tasks to different authority levels) TaskAuthorityID TaskID AuthorityLevelID Cheers Mike Kear Windsor, NSW, Australia AFP Webworks http://afpwebworks.com

[Original message]<<<<I would recommend using permission objects-base framework over roles-based.  Problem with relying on roles is that when you need to allow another role to insert or update, you have to go through the templates where  inserts or updates are referenced and change the code.  Very inflexible.  But if you're using permision objects-based model, you assign that object id to any number of roles, and if the loggin user has the role which contains that ID, then access is granted.   You can write a udf that could do something like this. <cfif isAllowed("update user record")> show update link here </cfif>>>>>       Nick, I’m trying to understand how this would appear in practice.   Does this mean you’d have a table of authority levels or groups, a table of things they could do, and a many-many table linking them together?    In which case a user would have a record in the user table,   a number of records in the user-groups table linking the user to one or more groups?   Is this how it would be?:   Tbl_USERS  (All user information) Userid Username etc     Tbl_GROUPS  (Group names) GroupID Groupname     Tbl_AUTHORITYLEVELS (Authority Levels) AuthorityLevelID Authorityname     Tbl_TASKS  (The tasks different groups can perform) TaskID TaskName     Tbl_USERSGROUPS  (allocates users to groups) UserGroupID UserID GroupID     Tbl_GROUPAUTHORITIES  (allocates authority levels to different groups) GroupAuthorityID GroupID AuthoritylevelID     Tbl_TASKSAUTHORITIES  (Allocates tasks to different authority levels) TaskAuthorityID TaskID AuthorityLevelID     Cheers Mike Kear Windsor, NSW, Australia AFP Webworks http://afpwebworks.com    

<http://www.houseoffusion.com/banners/view.cfm?bannerid=34>; I  tend to use a lock and key approach.   3 tables. Items are locked and a user must have the appropriate key to use the system. Profile privileges profile_privileges Profile has profile_id and name in it Privileges is usually a privilege name and id profile_privileges then has priv_id, profile_id (many to many table). Each user is assigned a profile. Many users may belong to the same group. Privileges are associated with a profile. I have a custom tag/udf called validate_permission which simply checks that the profile id has the privilege id which is associated with a particular name.  if validate(permission, profile_id, priv_name) is true. Since I do use Fusebox, I've actually written an entire security system around it which allows using the <fuseaction permission /> attribute to secure circuits or fuseactions to specific privileges.  I can alsouse the udf internally in scripts to secure specific lines of code.  

Using the ones in between the 10s would only be for a special case. Other than that, you'd just have your basic 10 (0,10,20...90).  You don't have to give each user their own role.  It depends on the app and the needs.  I just know that I've thought too small in the past and it ended up coming back to bite me later.  If your app only needs a couple of roles, I don't understand what it is that you're asking for suggestions for.  That sounds quite easy and for you <cflogin> would probably work with its associated functions. John Burns Thanx John but using your suggestion maybe our code will become very hard to maintain... Look this: <cfif UserRole is 34 OR UserRole is 56> Click here to edit this record </cfif> <cfif UserRole is 67 OR UserRole is 81> Click here to delete this record </cfif> Why you don't use Group Roles? Thanx once more again The body of your email message is over 100 lines. Unless you are a major writer, your probably adding a lot of the previous replies. Please trim your posts when replying. Thank you.                  <cflogin> isn't flexible enough for me. You have limited control over your querying of that data...only the functions provided in CF.  I do a user table, a role-name table and a user-role table.  The user table holds basic user info.  The role-name table holds info about the role (name, description, etc).  The user-role table ties the two together. This allows the person to have multiple roles.  Then, I just code in my app that certain role-ids can do certain things.  I've also done it where the roles are numbered 0, 0,10, 20, 30, 40, 50 ,60,70,80,90 and then if you need to create specific roles for certain sections of the site, you can do it in between the existing roll numbers.  Then you can just check <cfif userRole GT 60> to see if the person is above 60 and if so, that means they can do this certain thing, or you can check <cfif userRole GT 90 or userRole EQ 43> to see if the user is an admin or if they have a specific role to let them do this one thing. John

CT> i'm looking for any example how to create an user control with roles CT> permissions... like Administrator is God, Managers could insert and CT> change, SK8er Boy could only view certain aspects from appl.... Hal Helms has a good technique here: http://halhelms.com/writings/ProposedSecurityModel.pdf and some code here: http://www.halhelms.com/code/resources/secure.zip I've used it when I was still on CF4.5  I've since migrated to MX but haven't checked out CFLogin yet. Jim