Introduction
The main issue behind the failure of any automated system is the presence of loopholes in the security system or the bugs in rights management.
- Unauthenticated visitors getting access to the system
- Unauthorized users getting rights to access the critical areas
Popular Approaches Used In Common Practice
- Managing user rights in session object
- Fetching permission from database for every Webform (database overhead)
- Complexity of overall process is O(n2)
- E.g. if there are 1000 users
- There are 300 Web forms
- There are 20 types of rights, i.e. Add, Edit, Delete,
Reconciliation level 1, Reconciliation level n, View,
Print, Cash removal, etc. - It means there will be 1000 X 300 records in database for user rights (300000 records).
- It means there will be 1000 X 300 X 20 cells to be fetched for rights management (6000000 cells)
Proposed System
- Storing Rights
- Define bit value for every right
- Define
string
containing bit wise rights information for particular Webform - Maintain data structure e.g.
HASHTABLE
to store bitwise rights string
for corresponding Webform - Serialization:
- Serialize the data structure
- To store the data structure into database or storage media
- Store the serialized data structure into the database for a particular user against userid
- Fetching Rights
- Based on the userid, fetch one record from the database (serialized data structure)
- De-serialize the data structure
- Store the data structure into a session object
- Implementing Security System
- Authentication Procedure
- Get details from database based on username and password
- If successful, opt for authorization procedure per Webform
- If unsuccessful, let the user on login gateway
- Authorization Procedure (Web form based)
- Based on userid from session object and comparing to the corresponding bitwise
string
Webform wise, fetch the rights string
- Make the corresponding buttons, links, contents enabled/disabled based on bit value for corresponding rights
- Process Flow
- Complexity of overall process is O(n)
- There are 20 types of rights
- It means we are having a
string
of type VARCHAR(20)
only for storing access rights per Webform - There are 300 Webforms
- It means we'll be having a tabulated data structure having 300 rows with 2 columns
WebForm Name / ID | Bitwise Rights String |
Default.aspx | 11111111111111111111 |
Login.aspx | 11111111111111111111 |
Userhome.aspx | 11010101001000000000 |
- Post serialization, we'll be having only a single value to be stored into a database for a complete data structure
- If there are 1000 users
- Only 1000 records will be there in the database
- Only 1000 cells to be fetched from database for rights management
- For more secure environment, Triple DES encryption can be used for storing and retrieving bitwise rights
string
Points of Interest
- Length of bitwise right's
string
should be kept according to the number of available rights - Encryption should be used as per the environment
Loopholes
- More overhead for managing rights per user
- Time taken for updating the number of forms i.e. adding new forms and maintaining rights
Possible Solution
- Saving information in database for a particular roleid instead of userid
- Managing roles per userid
- 1:N relationship between userid and roleid
- Having a procedure for fetching rights using logical
OR
operator for multiple roles assigned for any userid
Still to Come......
- Full fledged solution with case study from novice level prototype model to advanced implementation of user rights
History
- 21st June, 2007: Initial post