I am working on an application consisting of modules written in different languages (Java and C# are among them) running on different machines (currently, inside a LAN; so it is not a big one, but nevertheless, it is distributed). We are seeking for a reasonable approach of implementing role based permissions for the functionality (to configure who is entitled to invoke which part of the functionality).
Currently, this is solved by a custom database table mapping user names to the GUI IDs of the dialogue elements they are permitted to use (was not my idea, just in case you wonder…) and having one of our modules the ‘admin’ functionality of setting these values. I have the feeling, but am not really sure, that this direct writing into this table is not a good approach, especially with respect to concurrent write (of the ‘admin’ module) and read (although database transactions should provide concurrency handling… but does this suffice in this case?).
So my idea would be a central service (preferably written in C#, but Java would be okay, too, if its framework provides the better support for this) accessible by all modules which has to be accessed for both, setting and reading the permissions. This service then could guard against the concurrency problems. At its back, of course, it in turn would use still a database for storing the permissions.
What do you think of this approach, wouldn’t the service be a bottleneck? But it ‘feels’ right to me. What does not feel right to me is doing this from scratch like reinventing the wheel. Could the service be something like the authentication and authorization sub-frameworks as provided by (ASP).NET? Or even Active Directory? But its focus seems to be more coarse-grained (files, directories, printers, not functions inside an application…).
Could you tell me your experiences with this topic?
Many thanks in advance!
Here are some pointers I found during my search:
http://en.wikipedia.org/wiki/Role-based_access_control
Storage of Role-based Permissions using ADFS and WIF
Designing a permissions based security model
Best Role-Based Access Control (RBAC) database model
I’d suggest to leverage LDAP facilities if you are looking for ready-to-use solution. Active Directory is not only one solution supporting this protocol, you can use even open source ones. But considering the common and general solution you can loose in performance. I don’t remember the open source storage supporting LDAP that I used but it seemed very slow. So probably the best way is to implement your own scalable and hight-available storage as a service.