What is the best way to manage permissions for a web application - bitmask or database table?

permissions database-design web-applications

I think it's a general rule of thumb to stay away from mystical bitstrings that encode the meaning of the universe.

While perhaps clunkier, having a table of possible permissions, a table of users, and a link table between them is the best and clearest way to organize this. It also makes your queries and maintenance (especially for the new guy) a lot easier.


how about creating a Permission table, then a UserPermission table to store the relationships?

You'll never have to modify the structure again, and you have the ability to add as many permissionss as you wish.


I've done it both ways. But I don't use bit masks much anymore. A separate table would be fine that you can use as a cross reference, given a user id or a group id as a foreign key. 

UserID | Permission
===================
1      | 1              1 representing manage users
1      | 2              2 being manger products
2      | 3

This way would be easier to maintain and add on to later on.

I'd also use a separate table to manage what the permissions are. 

PermissionID | Description
==========================
1            | Manage Users
2            | Manager Products

Usually I have a Users table, a Roles table, and a UserRoles table. This way you can have an unlimited amount of roles without changing your db structure and users can be in multiple roles.

I force the application to only authorize against roles (never users). Notice how the "id" column in the roles table is not an identity column. This is because you may need to control the IDs which get put in this table because your application is going to have to look for specific IDs.

The structure looks like this:

create table Users (
 id int identity not null,
 loginId varchar(30) not null,
 firstName varchar(50) not null,
 etc...
)

create table Roles (
 id int not null,
 name varchar(50) not null
)

create table UserRoles (
 userId int not null,
 roleId int not null
)

Related

Is it possible to store the address of a label in a variable and use goto to jump to it?
In Firebase when using push() How do I pull the unique ID
How to print the contents of a memory address using LLDB?
Synonyms for "little by little"
Is it correct to write "is done fully automatically" or "is done fully automatic"?
Different forms of the abbreviations for "identification"?
What is a word that means "the state of having an organic nature"?
Who first used the word 'linkrot'?
Can 'egalitarian' be used for gender bias also?
Using the semicolon in my sentence
Is it considered rude language to omit interrogatives in speech?
Dropped the pen and threw up the sponge