2

In trying to implement role based security for a web app, I have a table in the database for Permissions, Roles, Users and UserRole (i.e the assignment of users to roles).

Each role has a set of permissions. The permissions are defined as a C# flags enum with values such as 0, 1, 2, 4 and so on.

In the database the role table has a int field which stores the combined permission flags for the role. (This way we avoid having a separate Permissions table (is that good or bad?) and a one-to-many table for RolePermissions.

In the code, I check if a user has access by calculating the effective permissions for the role(s) the user is assigned to. In .NET it is pretty easy to do that by doing logical operations on the enum flags.

So my question is:

Is there a disadvantage to doing it this way (as opposed to having a Permission table and RolePermission link table (that contains 1 record for each permission given to a role)?

abatishchev
  • 98,240
  • 88
  • 296
  • 433
Krishna
  • 2,997
  • 1
  • 23
  • 31

3 Answers3

1

Three immediate disadvantages:

  • Flags can only contain as many items as there are available bits.
  • Querying from the database now gets a little more annoying. Well, only if you are using SQL manually (a join onto the roles table to determine membership reads a lot nicer).
  • When viewing the data not as flags, is anyone going to remember what a value of 1 in the fourth bit means?

Make life easy and go with a separate list. Is assigned to in a collection could very nicely boil down to myPermissions.Contains(new Permission("CanEdit")). You could then use various conversion routines to convert hardcoded values such as enums or strings into object representations of permissions to achieve myPermissions.Contains("CanEdit") etc.

This is not to say there are performance impacts in choosing flags over separate tables and vice versa, I've no idea what sort of usage you are looking at.

Adam Houldsworth
  • 63,413
  • 11
  • 150
  • 187
  • Thanks. The usage is not too exotic. It is a multi-tenanted web app with each tenant wanting to define their own role names and assigning their users to their custom roles. They will ofcourse need to map assign a standard set of permissions to each of their custom roles. – Krishna Oct 20 '11 at 11:06
1

The only disadvantage is that you'll end up writing more code in order to check for permissions. Having a separate table with user-roles makes it very simple to determine them.

  • Advantage: Save storage space (but who cares about this on this scenario?)
  • Disadvantage: More complexity on your code.
Icarus
  • 63,293
  • 14
  • 100
  • 115
  • 2
    I would actually think the code is simpler. It is just a matter of &-ing or |-ing the permissions as required. – Krishna Oct 20 '11 at 11:05
1

I used a flag enum just like you described 3 years ago in a project. My considerations:

  • Create a layer to simplify usage or you'll end up with a messy code in the front end
  • Its not intuitive for 'new developers'. If somebody else will maintain this code, be aware that he may miss the whole idea and introduce more complexity and/or bugs...

Ps.:

Each role has a set of permissions. The permissions are defined as a C# flags enum with values such as 0, 1, 2, 4 and so on.

NEVER use 0 in a flag enum...

Marcelo Oliveira
  • 653
  • 5
  • 16