Home/ Questions/Q 6210659
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T06:11:55+00:00

This is the database schema we have. t_RoleCombinations – These are all possible combination

  • 0

This is the database schema we have.

DB Schema

t_RoleCombinations – These are all possible combination of Permissions a Role can have.

t_Permissions_Hierarchy – This enforces permissions. For e.g. if a role has permissions to Create some reosource, it should have the permissions to Edit that resource and if has permission to Edit it should have the permission to View. We also have a Share permission which if assigned should also enforce View permission. So, if a role has Create permission, it should also have View but might not have Share permission. Because of this complexity we cannot enforce hierarchy in a tree-view manner by having a ParentPermissionId column in t_Permissions and that is why have this t_PermissionHierarchy table.

t_RoleCombinations_Permissions – this is mapping table which actually defines all the combinations of permissions.

Sample data of t_Permissions table

Sample Data of t_Permissions table

Sample data of t_PermissionsHierarchy table

Sample data of t_PermissionsHierarchy table

When the client updates a Role, on the server I get a set of permissions which I need to match with one of the set in t_RoleCombinations_Permissions table and get a RoleCombinationId for it to be updated in t_Roles table. A comma separated value for set of permissions is passed in SP through parameter and I can make it recordset by a table valued function similar to the one stated here if need be.

UPDATE:-

-I thought of creating a Varchar(Max) column in t_RoleCombinations to store comma separated sorted PermissionIds. But that’s not good in a relational database.

-The statement I could think is below. But it won’t work as IN operator checks logical OR and not AND.

SELECT RoleCombinationId from t_RoleCombinations_Permissions
WHERE PermissionId in (1,2,3,4,5) -- my comma saperated permissions
GROUP BY RoleCombinationId
HAVING Count(*) = 5 -- number of permissions specified.
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I’m answering my own question. This is how I finally did it.

    In this all code below, @permisionSet is this table variable into which all the comma separated permisionIds are inserted.

    DECLARE @permissionSet TABLE (Id int, PermissionId bigint)

    This is how I match the set of permissions with the combination already available. I got this idea from another question. 

    SELECT @roleCombinationId = ISNULL(match.RoleCombinationId,0)
  FROM (
    SELECT RoleCombinationId
    FROM t_RoleCombinations_Permissions
    WHERE PermissionId IN (SELECT PermissionId FROM @permissionSet)
    GROUP BY RoleCombinationId
    HAVING COUNT(*) = @countt
  ) AS match
  INNER JOIN t_RoleCombinations_Permissions rcp ON match.RoleCombinationId = rcp.RoleCombinationId
  GROUP BY match.RoleCombinationId
  HAVING COUNT(*) = @countt

    And this is how I validate a set of permissions against the hierarchy restrictions set in t_PermissionHierarchy table.

    --If given set of permissions are valid
IF(
    NOT EXISTS( SELECT ph.PermissionId
                FROM @permissionSet ps
                INNER JOIN t_PermissionHierarchy ph ON ph.PermissionId = ps.PermissionId
                WHERE ph.ShouldHavePermissionId NOT IN (SELECT PermissionId FROM @permissionSet)
               )
   )
BEGIN
  --Permission set is valid. Insert it in t_RoleCombination_Pemissions table
END

    And to find out which permissions are required but are missing in the set.

      WITH InvalidPerms AS (
    SELECT ph.PermissionId, ph.ShouldHavePermissionId
    FROM @permissionSet ps
    INNER JOIN t_PermissionHierarchy ph ON ph.PermissionId = ps.PermissionId
    WHERE ph.ShouldHavePermissionId NOT IN (SELECT PermissionId FROM @permissionSet)
    UNION ALL
    SELECT phh.PermissionId, phh.ShouldHavePermissionId
    FROM InvalidPerms ip
    INNER JOIN t_PermissionHierarchy phh ON phh.PermissionId = ip.ShouldHavePermissionId
    WHERE phh.ShouldHavePermissionId NOT IN (SELECT PermissionId FROM @permissionSet)
  )
  SELECT ShouldHavePermissionId FROM InvalidPerms
    • 0