Posted by Michael Vilain on 11/28/06 22:58

In article <pc7r6vn8cpg.fsf@panix1.panix.com>,
Lewis Perin <perin@panix.com> wrote:

> Michael Vilain <vilain@spamcop.net> writes:
>
> > In article <pc7wt5ffv72.fsf@panix1.panix.com>,
> > Lewis Perin <perin@panix.com> wrote:
> >
> > > Is anyone aware of robust software, suited to a preexisting PHP
> > > application, that handles permissions for various types of requests by
> > > role rather than user ID? I'm speaking of maintaining/editing the
> > > permissions and deciding on the requests, but either "half" of the
> > > solution might be useful.
> > >
> > > Sorry, but adopting a whole application framework is out of the question.
> >
> > If you're running php scripts in the command line rather than on a
> > web-server, you might benefit from running from within RBAC (on Solaris,
> > no?) or sudo (close enough to have 7 alleals in common).
> >
> > But if you're running from the web, your process runs under the web
> > server's UID. I fail to see how RBAC might help in that situation.
>
> I didn't mean RBAC, the Solaris concept of fine-grained superuser
> privileges; I meant RBAC, the more general concept of role-based
> access control, in this case applied to the user roles, operations,
> and resources within a Web-based PHP application.
>
> > What are you attempting to achieve here rather than asking about a
> > specific solution?
>
> To control different types of users' (that is, users of the application
> - nothing in particular to do with users known to the OS) access to
> different operations on different subsets of the data under the
> application's jurisdiction.
>
> (By being this abstract, I'm not trying to be mysterious; I'm just
> trying to state the problem clearly.)
>
> /Lew
> ---
> Lew Perin / perin@acm.org
> http://www.panix.com/~perin/babelcarp.html

I haven't seen a generic "RBAC" framework that you could use to bolt
your application on underneath. The closest I've seen is a privileges
feature in some web forums. But that was "built-in" to the forum.

My guess, you'll have to write it yourself.

Good luck.

--
DeeDee, don't press that button! DeeDee! NO! Dee...

• Next in forum: Re: receive value $_POST
• Prev in forum: Re: receive value $_POST
• Thread view: Re: Role-based Access Control (RBAC)

[Reply to this message]