473,597 Members | 2,394 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

PHP, MySQL & Limiting Access

Greetings, all!

I have a project for work, and I'm not sure how to efficiently do what I
need to do. I'm hoping someone out there can help.

Project is this: I'm creating a web-based interface where people at my
company (operators) can enter data for service calls. All data entered
is run thru one or more PHP scripts for error checking and then stored
in a MySQL database on a server here in the office.

What I'm looking to do is to limit access to certain operators so they
can only do certain functions (ex: add a service call, but not delete
one), whereas admins such as myself would have full access to
everything. Ideally, at some point in the future, we plan to roll this
interface out to our clients so they may do the same features within
their company. Obviously, they would only gain access to data related
to their company, as to protect the privacy of others.

Hierarchy would be something like this:

1. UberAdmins (such as myself)
-Have access to everything and to all commands.

2. Operators
-Have access to everything, but not all commands.

3. Our clients
-Have access to their data only, and to all commands.

4. Our clients' operators
-Have access to their data only, but not all commands.

The difficult thing is that our clients may run several businesses, so
they would have to have access to several groups. In essence, they'd
have multiple groups (their businesses) within a group (their group)
within a group (everything).

What is the easiest and most secure way to do something like this? I'm
not looking for actual code but merely suggestions. Please reply if
there is something I wasn't clear on.

TIA,
-Jay

Jul 17 '05 #1
2 3271
Jay Moore wrote:
Greetings, all!

I have a project for work, and I'm not sure how to efficiently do what I
need to do. I'm hoping someone out there can help.

Project is this: I'm creating a web-based interface where people at my
company (operators) can enter data for service calls. All data entered
is run thru one or more PHP scripts for error checking and then stored
in a MySQL database on a server here in the office.

What I'm looking to do is to limit access to certain operators so they
can only do certain functions (ex: add a service call, but not delete
one), whereas admins such as myself would have full access to
everything. Ideally, at some point in the future, we plan to roll this
interface out to our clients so they may do the same features within
their company. Obviously, they would only gain access to data related
to their company, as to protect the privacy of others.

Hierarchy would be something like this:

1. UberAdmins (such as myself)
-Have access to everything and to all commands.

2. Operators
-Have access to everything, but not all commands.

3. Our clients
-Have access to their data only, and to all commands.

4. Our clients' operators
-Have access to their data only, but not all commands.

The difficult thing is that our clients may run several businesses, so
they would have to have access to several groups. In essence, they'd
have multiple groups (their businesses) within a group (their group)
within a group (everything).

What is the easiest and most secure way to do something like this? I'm
not looking for actual code but merely suggestions. Please reply if
there is something I wasn't clear on.

TIA,
-Jay


Hi Jay,

Try not to reinvent the wheel when designing user permissions. The most
simple to understand (and, IMO, most useful/powerful) permission scheme
is that used on UNIX-like operating systems. Since you said you will
have "groups" of users, this seems like the most logical thing to do.
Make each resource (viewing data, operating on data, etc) have its own
permission set associated with it. Then assign an owner user and an
owner group to each thing. (This can all be done in your database.)
For instance, you only want administrators to be able to delete a
service entry, so make the service entry "writable" by the admin group
and an admin member user.

I used a similar system for a community managed bulletin board (many
tiers of users and groups with all kinds of different permissions) and
it worked out really well.

As an example, each user (in a user table, I'm assuming) would need this
information stored:

username, member group, [attached groups]

Then, keep a list of permissions for each database function/resource:

user permission, group permission, world permission,
user owner, group owner

If you use a little relational database design, this will allow you to
link together users/groups with resources in nearly any conceivable way.

I would suggest doing the standard "read-write-execute" bits. Even
though you probably won't use the "execute" permission on a typical
database design, it keeps you sane if you're used to working with UNIX
and it's only 3 bits of extra data. There's even a nice MySQL data type
that makes life easy:

create table some_table (
id int not null auto_increment primary key,
user_perm set('execute',' write','read') not null default 'read',
group_perm set('execute',' write','read') default 0,
world_perm set('execute',' write','read') default 0
);

Then, get a user permission:

select user_perm+0 from some_table where id = 35;

This will return a decimal representation of the bit field (the "+0"
casts it to an integer type on return). So, if you have set 'read' and
'write' permissions for user 35, you will get a "6" returned from the
query since the bitfield is "110" (backwards from how thery are listed
since the low-order bits come first).

If you only make your permission sets three elements long, you will
always get the same numbers you would see in a UNIX filesystem. Running
a change of permission on a resource, could look like the same thing as
running "chmod" in a shell.

I would do some looking around in the manual of your DBMS to see how
sets work before diving into this scheme. If you're interested in
learning about the secure filesystem in UNIX, check the man pages (I
would start with `man chmod`).

HTH,
Zac

Jul 17 '05 #2
<snip Zac's reply>

Zac,

Thanks for the prompt reply. I appreciate the help. I had actually
kinda considered doing what you suggested, only I didn't know how to
actually DO it.

My next question would be, "How would I 'label' the data being entered
so it's associated with the proper user/group?"

I'm looking to keep the layout like so:

Admins
|
+- Operators
|
+- Our clients
|
+- Our clients' operators (1)
|
+- Our clients' operators (2)

and so forth.

I hope I'm making sense. ;)

-Jay

Jul 17 '05 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

3
2744
by: Steve Farber | last post by:
I'm not especially new to databases and I have used ODBC before with other data sources, but I cannot seem to get Access 2003 to talk to MySQL 4.0.15. I have MySQL running with new tables defined, but I cannot get a connection to those tables via ODBC using MyODBC 3.51. Can anyone point the way? Many thanks,
4
2789
by: MLH | last post by:
A programmer developed an AMP (Apache/MySQL/PHP) application for me. When he was done, he sent me the PHP files and the MySQL dump file. Now, when I connect to the application on my LAN using http://192.168.1.106/~mlh/credifree/index.php the AMP app still thinks the data resides somewhere else. It runs fine - as long as I leave my LAN's external internet connection up. But if I unplug my LAN from the world, my app locks up. Before I...
13
12219
by: wideangle | last post by:
Hello there! I know it's stupid, but when creating a table in a mysql (win32) database, it won't let me create this "mytable". Here goes my ER_PARSE_ERROR. mysql> CREATE TABLE `mytable` ( -> `mytable_id` int(25) NOT NULL auto_increment, -> `mytable_title` varchar(100) NOT NULL default '', -> `mytable_dts` varchar(25) NOT NULL default '',
0
1352
by: bettina | last post by:
I had an Access database and I had always used in my tables (whenever possible) pop up lists to choose elements.. for example, for a column I've wrote in "Datensatzherkunft" SELECT tbl.field1 FROM tbl WHERE tbl.field2 LIKE 'XXX'; or I could say that only certain values are allowed: "X";"O";"S" as an example. Now I have exported my Access Database to MySql and established from Access a relation to MySQL so that I can update the database...
3
8143
by: Steven Sinfield | last post by:
Hi All, I am trying to use PHP & MySQL over SSL, my issue is that the data that I am querying also needs to be available by non-secure as well. Can someone please help me in doing this. Cheers Steve
0
2167
by: MLH | last post by:
Is an apostrophe a character of special significance to MySQL in a way that would cause "Bob's dog" to become translated into a 12-character string when typed into a MySQL memo field? If I type Bob's dog into an Access memo field, I get a string that is 9-characters long. When I read "Bob's dog" from a memo field in a MySQL table attacted to MS Access via MyODBC driver, it displays as "Bob's dog" - a twelve character string. the '...
1
2435
by: gordon.dtr | last post by:
Hi, Has anyone had this problem ? I am using MySQL ODBC 3.51 Driver, with MS Access 2003 and MySQL 4.1.11 standard log. I created my tables in MS Access, then exported them via ODBC to an externally hosted MySQL database (fasthosts) . I then import-linked
15
2671
by: harvey | last post by:
How do I make PHP create a database for mysql please? I can see how to make tables and I have read all the documents I can find but I don't understand how to make the database itself. All the tutorials I can find seem to bypass the issue by ignoring it? Am I missunderstanding something?
4
1704
omerbutt
by: omerbutt | last post by:
hi every one I am A new Bee to php mysql and i was surfing through the net to learn about how to secure the mysql when you are working in a web environment while working with php html and javascript i came through this article http://articles.techrepublic.com.com/5100-6350_11-5287638.html and before i proceede i must tell you that iam using win xp professional sp2 where were given two main and very first step before you start making your...
0
7959
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
7883
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
8263
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
8379
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
8021
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
8254
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
6677
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
0
3917
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
2393
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.