RBAC Scheme

User authentication and user access to the application can be implemented and regulated through a simple Role-Based Access Control (RBAC) scheme. The basic concept of the scheme lies in separating the user’s attributes (roles) and user’s action of the system (actions/methods). In the whole process, the attributes are independently bound to a set of privileges of the system or application.

Explaining this further, let us take an example. Suppose an user X has three roles to perform: a supervisor, a project manager, and HR Admin. Then there are whole lots of privileges the system has for consumption by these roles like editing a timesheet by HR Admin role or editing a project by the project manager or adding a team member to the team. And these privileges are independently associated with a particular or multiple roles. This makes the scheme quite flexible and powerful for implementing user access control in a complex system, and is best suited in agile project process.

Illustration of RBAC Scheme

Figure: Illustration of RBAC Scheme

Role Based Access Control can be implemented in three phases:

Phase I: User Login

The User object may be assigned with the roles when login is performed, and then the data may be stalked in the $_SESSION super-global variable:

User->$arrRole = Session(…);
where $arrRole = [0, V(r1), V(r2), …, V(rN)]
The r’s are the assigned roles for the User.
N is the total number of roles assigned.
V(r) is the boolean value (0 or 1) of the role r

Phase II: Define a method for access controll

This will check if system-privileges match with the user privileges.
function isPermitted ($system_privilege, $arrRole)
{
$access_permission = 0;
for ($i = 0, $i < count($system_privilege); $i++)
{
if ($arrRole[$i])
{
$access_permission = 1;
break;
}
}
return $access_permission;
}

Phase III: Check if the user is permitted

We call the above method to validate if the user is permitted or not for a particular access to the application.

For example, to access a Module (with name ModuleName), we may use something similar to the following code snippet:

$News->$system_privilege = $News->getMyPrivilege(…)
$access_permission =
isPermitted($News->$system_privilege, User->$arrRole)
if ($access_permission) Process Business Logic or Presentation
else header('location: logout.php?categ=noaccess');
^ TOP
Get Download Files Review Project Dashboard Know Plan And Wishlist