I am writing a user security module using SQLServer 2008 so threfore need to design a database accordingly.
Formally I had Userinfo table with UserID, Username and ParentID to build a recursion and populated tree to represent hierarchy but now I have following criteria which I need to develop.
I have now USERS, ADMINISTRATORS and GROUPS.
Each node in the user hierarchy is either a user, administrator or group.
User
Someone who has login access to my application
Administrator
A user who may also manage all their child user accounts (and their children etc) This may include creating new users and assigning permissions to those users. There is no limit to the number of administrators in user structure. The higher up in the hierarchy that I go administrators have more child accounts to manage which include other child administrators.
Group
A user account can be designated as a group. This will be an account which is used to group one or more users together so that they can be manage as a unit. But no one can login to my application using a group account.
This is how I want to create structure
Super Administrator
administrator
-------------------------------------------------------------
| | |
Manager A Manager B Manager C
(adminstrator) (administrator) (administrator)
|
-----------------------------------------
| | |
Employee A Employee B Sales Employees
(User) (User) (Group)
|
------------------------
| | |
Emp C Emp D Emp E
(User) (User) (User)
Now how to build the table structure to achieve this. Do I need to create Users table alongwith Group table or what?
Please guide I would really appreciate.
I may write down a more complete answer later, but I should begin by pointing out that a user is really a special case of an administrator, specifically an administrator who has no child users. I would probably design the users with this in mind.
Related
Okay, I am going to try and explain this in a way that will make sense in the question that I am needing help with. Let's say that I have over 100 locations that I am pulling data from in a report that I have built already.
The following columns have the correct data coming through for each location:
User | Active | Admin | Organization | Department
User Column: This is where the name of the user is display
Active: This is if that user has an active account on that location
Admin: This is if that user has an admin account at the location
Organization: This is to display the organization for that particular location provides
Department: This is to display in what department of where the user works
Before I get into the question, I have a parameter set up to where the person receiving the report will have to choose the location that they are wanting to see before the report is shown. Another way to state that is to say the parameter is set to show only those users in that location once a locations is selected.
The question I have for a client is that some users are admins and those admins have access over 2 organizations. But some new users are not attached to an organization just yet. Is there a way for me to format a column/subreport to show those individuals that are not attached to an organization? I would be eternally grateful for someone to walk through the logic with me.
I am building a software where I have users who are responsible for managing contracts. Each user can only see the contracts that they are responsible for.
Now, I want to implement a share functionality where a user can decide to share some of the contract details with another user, so the other user can now see in his contracts list a shared contract.
But first, I want to make sure that I implement this correctly in terms of the database.
So at the moment, I have the following with regards to the relation between the users and contracts:
user (1) manages contracts (1..*)
And to implement the share functionality, I added the following:
user (0..*) can see contracts (0..*)
Which resulted in a new table that I called SharedContracts. This table will store the userID of the user who will now have access to the contract and contractID of the shared contract.
So what will happen now is that whenever user A decides to share his contract details with user B, the SharedContracts table will be used to store this data.
And the next time user B logs in, the system will check if he has a shared contract by querying the SharedContracts table. The the system will select all contractIDs that are associated with his userID.
I want to know if this is the correct way to implement a functionality like this? Is there any other way? Can I run into some problems if it stays like this?
I think your proposed architecture would be fine. The only modification I would suggest is including the IDs of both the user who shared the contract as well as the recipient of the share in the SharedContracts table. This will allow for the user who shared a contract to revoke that share at a later date.
SharedContracts
+----------+------------------+------------+
| SharerId | ShareRecipientId | ContractId |
+----------+------------------+------------+
| 1 | 2 | 1 |
+----------+------------------+------------+
My current Cube has two roles:
AdminSec: are for a few users only and refers to a Group of administrators in my Active Directory.
GlobalSec: refers to "Everyone" and gives everyone access to read all data.
We are now planning to incorporate a new department (MinimalDepartment) in our company. This department should not have access to very much of the information in our company, so my plan is to create a third role (DepartmentSec) and assigning a new Active Directory Group (MinimalDepartment) to this role. Also I will limit the access to my dimension data by deselecting all departments and only grant access to the relevant department in the Department dimension.
My question is: If an employee is a member of the Active Directory Group MinimalDepartment will they then only be able to see the data in the cube which the role DepartmentSec allows (which is what I want)? Or will they be able to see all data as they are also part of "everyone" and therefore also the role GlobalSec?
If it is the latter is it then possible somehow to create the role so "everyone" has access except those in AD-group MinimalDepartment?
It seems that I have to create a new group in my AD which contains all the departments which I want to include and then use this instead of "everyone". Fortunately my IT-supports could tell me that we already have this group so for me its not a problem.
Designing data model for STANDARD and USER SPECIFIC records for SAAS based model.
In my SAAS based application, I have users and their associated (One to One) roles. Tenants can create their own roles specific to their company and assigned to their users. And the SYSTEM have some standard roles provided for the tenants to use. The SYSTEM defined standard roles are common to all tenants.
I have the ROLE and COMPANY tables as follows:
Table: COMPANY
COMPANY_ID | COMPANY_NAME
100 | Acme Inc.
101 | E Technologies.
Table: ROLE
ROLE_ID | COMPANY_ID | ROLE_NAME | IS_STANDARD_ROLE
1 | | ADMINISTRATOR |Yes
2 | |MANAGER |Yes
3 | 100 |MyAdmin |No
4 | 100 |MySpecialist |No
5 | 101 |Supervisor |No
Here I have ROLE.COMPANY_ID references COMPANY.COMPANY_ID
I am trying to figure out the best way to accommodate both standard and user defined roles in the same table and have Hibernate 3.0 with annotations can pull with no complexity.
Here are the alternatives I am having in place.
I can have both standard and customer defined roles in the same table as above and leave the ROLE.COMPANY_ID field blank(if mysql permits) for standard. But the challenge is for hibernate3.0 to pull both ROLE.COMPANY_ID=100 OR ROLE.COMPANY_ID=
I can define a dummy company called SYSTEM in the company table and refer all standard/SYSTEM records to the Company called SYSTEM. Again the same challenge to pull records with OR in hinernate 3.0 with aootations.
Not sure, how to do this OR clause on hibernate 3.0 with annotations without custom HQL? Some how , team don’t like the idea of dummy company record in database.
I can create copies of standard records for each tenant and assign them to their own company_id. But the chanllange here is, I will have at least 80 standard records for each tenant and If I expect 1000 free trail tenants, I will end up allocating 80,000 records space. Any thought with this design? Not a clover option, but Choose this with no options left..
Instead I would prefer to have one copy of standard records, where all tenants can share as they are SYSTEM records.
Any thoughts of Mr. Perfect’s design in terms of programmability, maintenance, DB space for SAAS startup.?
I've seen a couple options.
My preferred is to have two tables, one for standard roles and one for customer-defined roles. This is subtle but they are, essentially, two different entities: a role that is common to all tenants and a tenant custom role. It is possible that these will eventually differ in attributes and/or relationships.
The other is to collate them in one table as in your first two suggestions, which are essentially the same solution. The reason I don't like this is that you overload the definition of COMPANY_ID. You will almost always regret overloading a column definition.
Either way, I would select with one of the following methods:
1) Have Hibernate call a stored procedure that unions the two sets.
2) Have two calls and assemble in your collection. At a minimum you would cache the standard roles since they are not volatile. So this would not add a performance hit.
You could Add a ROLE TYPE entity, that classifies the roles in ROLE, to your data model. This would be better than having blanks in company ID, I think. It also allows you to build a hierarchy of roles if desired - just add a PARENT ROLE attribute and a recursive relationship.
Entities:
COMPANY (COMPANY_ID, NAME)
ROLE (ROLE_ID, ROLE_TYPE_ID, COMPANY_ID, NAME)
ROLE_TYPE (ROLE_TYPE_ID, PARENT_ROLE_TYPE_ID), NAME)
Relationships:
COMPANY to ROLE is 1:M
ROLE_TYPE to ROLE is 1:M
ROLE_TYPE to ROLE_TYPE is 1:M
In this case let me be more specific about the problem
I've got a peoples table(with customer & supplier) and I've got a users table(for users who can login).
Currently I have this DB structure
Customers -> Organisations -> linked through rel_customer_addresses to address table.
(as 1 customer could have delivery_address, invoice address etc.)
Users -> Tenants -> linked through rel_users_addresses to the address table
(as 1 user could have delivery_address, invoice address etc.)
Now I've got in the invoice table customer_key. The problem is when the user himself is the customer and the invoice is from one of his customers. How do I indicate my web app to look up user and not the customer?
Since you're looking at 2 separate entities (customers and users), I would go ahead and use 2 separate tables and have them share a unique identifier (i.e., username, SID).
That way there's no chance of one seeing information from the other without the appropriate permissions.
There are several ways to control this, but the logic is something like this.
If userID exists in table user, do this.
If userID exists in table customer, do this.
If userID exists in table user AND table customer, do this.
That way you can control the situation completely either independently or together. In other words, you could grant special permissions to userID that is found in table customer, or just make it completely separate (similar to say, how facebook makes a separate 'identity' for pages vs the account it's registered to).
Hope that helps!