Solved How Application User/Group Permissions

Microsoft Visual studio professional 201...
November 11, 2013 at 08:07:06
Specs: Windows 7, 2.4ghz xenon
An application that I am creating will have user based permission delegating what the user can do within the application. I have a couple ideas on how to do this but I feel as if there is an easier way. What I am planning on doing is creating an enumeration of all the different types of permissions then populating a user permission object with all the permission that that user has by what the database query returns. Then in each form load it would check if the user has permission to view that form or not. What is the usual way that someone would go about this?

See More: How Application User/Group Permissions

Report •


✔ Best Answer
November 18, 2013 at 19:39:12
It's not bad, just be aware of how secure you are.

Having only one account, with security and auditing controlled by your application is vulnerable to having the DB account credentials sniffed, leading to unrestrained, untracked access to the DB.

Having multiple accounts with data restricted by your application is vulnerable to the many DB access programs out there. This leads to complete access to the data for the cost of downloading TOAD.

Of course, I'm assuming a client/server model here. If both the DB and the app sit on the same machine, security is only an inconvenience to all parties involved.

It's been years since I last programed anything that needed a serious DB, let alone serious DB security, but I'm pretty sure you can use views and stored procedures to view / add to a DB table you've otherwise restricted. The rules / restrictions involved depends on the DB in play. MS SQL relevant documentation: http://technet.microsoft.com/en-us/...

Also, suggested reading on Reflection: http://stackoverflow.com/questions/...

How To Ask Questions The Smart Way



#1
November 18, 2013 at 06:25:38
I decided to create a class of properties and use reflection to iterate through all of the properties that the user is assigned to in my database table. Then use reflection to set the properties by name. When adding user permissions iterated through all the properties and created either an update or insert query to update the database with the newly set permissions.

Get Permissions from database/Data table

For Each row As DataRow In dt.Rows
                For Each prop As Reflection.PropertyInfo In Permission.GetType.GetProperties()
                    If prop.Name = CStr(row("Name")) Then
                        prop.SetValue(Permission, CBool(row("Value")), Nothing)
                    End If
                Next
            Next

Set Permissions in database:

Public Shared Function SetPermissions(ByVal GroupID As Integer, ByVal Permission As Permission) As Boolean

            Dim query As String = Nothing

            Try
                For Each prop As Reflection.PropertyInfo In Permission.GetType.GetProperties()
                    'if SQL statment to see if permission already exists for user

                    query  += String.Format("IF EXISTS(SELECT Name FROM Group_Permission_Membership WHERE Name = '{0}' AND GroupID = {1}) ", prop.Name, GroupID)
                    query += String.Format("UPDATE Group_Permission_Membership SET Value = {0} WHERE Name = '{1}' AND GroupID = {2} ", CInt(prop.GetValue(Permission, Nothing)), prop.Name, GroupID)
                    query += "ELSE "
                    query += String.Format("INSERT INTO Group_Permission_Membership (GroupID, Name, Value) VALUES({0}, '{1}', {2});", GroupID, prop.Name, CInt(prop.GetValue(Permission, Nothing)))

                Next

                Dim Command as new SQL Command(query, connection)
                connection.open
                command.ExecuteNonQuery
                connecion.close


            Catch ex As Exception
                MessageBox.Show("Unable to set permissions: " & ex.Message, "Permission Error", MessageBoxButtons.OK, MessageBoxIcon.Error)
            End Try
            Return True
        End Function


Report •

#2
November 18, 2013 at 16:09:51
Assuming you're tying your application to a user account (either DB or AD), I suggest you just use the database's inbuilt permission system, and check against that. How you'd do so is up to the DB in question.

Also, Reflection is almost always the wrong answer.

How To Ask Questions The Smart Way


Report •

#3
November 18, 2013 at 16:44:34
Its for access to certain parts of the program. I was thinking that the built in permissions system would work but I need to be able to customize them based on different sections. So that I can make the average user does not have access to reporting and application settings but has access to enter a job in. What is wrong with using reflection? I'm aware that is probably isn't the best way to do it because it can be slow. Are there any other reasons? What would be a better way to check through about 30 properties?

Report •

Related Solutions

#4
November 18, 2013 at 19:39:12
✔ Best Answer
It's not bad, just be aware of how secure you are.

Having only one account, with security and auditing controlled by your application is vulnerable to having the DB account credentials sniffed, leading to unrestrained, untracked access to the DB.

Having multiple accounts with data restricted by your application is vulnerable to the many DB access programs out there. This leads to complete access to the data for the cost of downloading TOAD.

Of course, I'm assuming a client/server model here. If both the DB and the app sit on the same machine, security is only an inconvenience to all parties involved.

It's been years since I last programed anything that needed a serious DB, let alone serious DB security, but I'm pretty sure you can use views and stored procedures to view / add to a DB table you've otherwise restricted. The rules / restrictions involved depends on the DB in play. MS SQL relevant documentation: http://technet.microsoft.com/en-us/...

Also, suggested reading on Reflection: http://stackoverflow.com/questions/...

How To Ask Questions The Smart Way


Report •

#5
November 20, 2013 at 10:26:33
That makes a lot more sense. I will look into doing server based permissions rather than application. I guess I was making my decision by what other programs I have used do. Most seem to have application permissions and not server based. Thank you for the help

Report •


Ask Question