I have designed and written several Security and Access Control systems for various software products, for both in-house and commercial use. Each time I have done it differently and each one has been secure. For the Multi-User version of ContaxCRM I wanted to design a system that was not only secure bit also extremely simple.

The scenario I have looks like this: Each database user has available a list of actions that they can either be approved for, or not. See the screenshot below:

The question is where should I store this list of True / False fields ? For ContaxCRM what I have done is stored this data within a single VARCHAR field against the User record, in the Users table. I decided upon a format for the information as shown below:

A formal structure makes it easier for me to retrieve the data. The number following the ’s’ is the ID of the Security Question, the 0 or 1 represent False and True. You can see how this structure makes it easy for me to fill in the security list against each user with the correct True or False selection. The use of opening and closing tags just makes the list easy for me to Parse with existing ContaxCRM code, making development quicker and more reliable.

The final challenge is how to secure this data so that it cannot be seen and edited by anybody looking at the database with a query tool ... the answer of course is encryption. The above information when saved into the User record will look something like this:

Any questions or comments welcome. Cheers - Steve

RSS Feed: http://feeds2.feedburner.com/Lonelyhacker

Tags: ContaXCRM , Security, Access Control