ACLs in a database?

From: Dave Kimmel <criscokid_at_v-wave.com.nospam>
Date: Sat, 21 Jul 2001 23:33:19 GMT
Message-ID: <slrn9k6dth.1id5.criscokid_at_deepcore.gsm>

Some background: I have a database at work which stores a hierarchy of documents. Each document can have child documents, and every document has a unique ID. I'm in the process of converting this to store documents based on their path, so the document relating to the office policy on email will be "root/om/om-email". "root/om" is a document outlining the Office Matters section, "root" is the start of the whole thing. This is all one table and works very well. Simple enough, so far.

This was great for one user. Access control consisted of setting a flag in the Users table that said you can edit stuff. That worked well enough.

But now we are going to have multiple people editing this and, due to the nature of what's being stored, we don't want certain people editing certain groups of documents. So, user dkimmel (me) would have access to edit everything, but user jsmith would only have access to edit things in the section "process", user jrandom might only have access to edit "process/records-management", etc.

So, I figure that I need some form of Access Control mechanism to do this. So far, I figure that there are two possibilities. One is to use something similar to NT-style ACLs, which are really powerful, but could lead to logistical problems and headaches. The other possibility is to use something similar to Unix-style permission bits. They're pretty simple, since they won't vary in size like a full blown ACL, and they're powerful, but it'll still cause headaches. I have to rework this thing anyway, so I'm in for headaches anyway.

A third possibility, which I didn't mention there, was to scrap using a relational database to store all of this and switch to a content management system, such as Zope (http://www.zope.org/). It already stores hierarchies properly, instead of with what I consider to be a hack (like I'm doing now), and it has a fairly comprehensive and relatively easy to use access control system. There are a number of concerns with Zope too, the main one being that the existing hierarchy doesn't quite fit in properly.

So... What are your thoughts on this?

Thanks in advance!
-- Dave Kimmel

criscokid_at_v-wave.com
ICQ: 5615049 Received on Sun Jul 22 2001 - 01:33:19 CEST

This message: [ Message body ]
Next message: Mikito Harakiri: "Re: Simple SQL?"
Previous message: korek_at_icm.edu.pl: "Re: Unknown SQL"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message