Phpgacl Use Rights control

Phpgacl App Permissions Control

The design of authority control is always a problem in the system development and frame structure, how to design a simple and effective control granularity which can provide high accuracy is the problem we have been discussing. This framework has been discovered recently in the ACL section of Joomla Phpgacl
In my personal development process is often faced with this problem, simple coarse-grained control, complex fine-grained control, once the privilege design is very thin will lead me to face a variety of highly complex structure and code writing. PHPGACL provides a very effective control of permissions, which can provide very rich permissions control, and development design is simple. Let's introduce the PHPGACL framework.

?

This article is translated from phpgacl user manual

Phpgacl is a set of functions that allows any (user, remote host) object to apply permission controls to other (page, database) objects. PHPGACL provides mature access control and simple management, and the speed is quite fast. More importantly, he is completely open source , you can get http://phpgacl.sourceforge.net/from the address below

Run he must first have a relational database to store permissions control data, Phpgacl is connected to the database through the ADODB library, so he can easily connect mysql,postgresql,oracle and so on. The ACL system in Joomla is after some lightweight modification, mainly in the database layer Joomla discards the use of ADODB and uses the database abstract class in Joomla to store the database

Understanding Permissions Control

The best way to explain permissions control is to use specific examples rather than telling boring concepts. Han is the captain of the Millennium Falcon spacecraft, Chewie is his second mate, the ship carries some passengers including: Luke, Obi-wan, R2D2, C3PO. Han needs to define a single access to every compartment on the ship, including: Cockpit, power compartment, rest compartment, and weapon compartment.

Captain Han said, "I and Chewie have the right to go all the places, but after a remarkable hyperdrive repair I forbid the chewie to be near the power compartment and all the passengers are confined to the rest compartment." From now on, the permission system we are discussing is actually a Boolean mathematical system, and for each person on the ship, the permission to enter each compartment includes only allow and deny, and there is no third case.

We now describe the above as a permission matrix, and he corresponds to the question of who has access to where. Specific as described (0 for permission, X for refusal).

The column represents captain Han needs to set the control of the cabin, while the line represents the person who needs to access the cabin. Abstract point says "compartment" is the thing that needs to control permission, here we call "permission control object" Access? Control Objects (ACO); "People" are things that require permission to access, and here we call the "Permission requirements object" Access Request Objects (ARO). People need permission to enter the compartment in our terminology, AROS needs access to ACOs. There's also a third class object called an attachment permission object access Extention object (AXO), which will be discussed later, sharing properties and composing permission objects together.

Using a permission matrix to manage permissions is relatively straightforward, but there are some drawbacks.
1, he can do fine, if necessary, can provide the management of everyone
2, the authority changes at a glance, who has the right to enter there, as long as we find the intersection of personnel and compartments also found the answer.
3, he is very difficult to manage the large authority system, 6 passengers 4 compartments is a very small authority system, but if there are thousands of passengers and hundreds of compartments, the application of matrix to manage how troublesome, need a lot of accurate and lengthy judgment. The permission matrix is difficult to adapt to this system management
4, the statistical trouble, the above figure if the statistics who can enter the power compartment is relatively clear, but if the figure into the following looks like the more difficult to estimate

Use Phpgacl to define permissions

The permission matrix is very inappropriate for the privilege management of large privilege systems, so we need to find a more suitable system to accomplish this work, inheriting the advantages of the matrix and also taking away his shortcomings. Phpgacl is a very good solution.

Phpgacl is not a bottom-up description permission instead, he uses a top-down order to describe permissions, a resilient system that allows users to manage permissions with a large number of groups, and it's easy to know who has access to where. Use an ARO tree in Phpgacl to define groups and Aro objects. He has a tree-like relationship with folders and files. This group is like a folder, and the Aro object is a file.

Now the passengers on Han's ship, the ARO, design an ARO tree, first to design a classification for the crew, where Han and Chewie are sailing, and the rest are passengers.
Millenniumfalconpassengersgroup
C─rew??????????????????????????? Group
│─han???????????????????????? ARO
│─chewie??????????????????? ARO
─passengers??????????????? Group
─obi-wan???????????????????? ARO
─luke?????????????????????????? ARO
─R2D2????????????????????????? ARO
─C3PO????????????????????????? ARO

This tree does not actually relate any permissions just to make a classification of the Aro object. We actually apply the permissions by assigning the ACO object, which is the cabin, to the group or Aro object on the Aro tree. "By default, no one is allowed to enter any room, but the crew can enter any compartment and passengers are allowed to enter the rest compartment," Han said.
Millenniumfalconpassengers
─crew???????????????????? [Allow:all]
│─han
chewie│─
P─assengers????????? [Allow:lounge]
─obi-wan
─luke
─r2d2
─c3po

Now we explain the tree from top to bottom, the default permission is always rejected, so everyone including the crew initially refused to enter any compartment, but Han also said "the crew can enter any compartment", this happened to the permission overrides the default permission is allowed to overwrite, so the final crew is entitled to enter any compartment, Passengers are allowed to enter the rest compartment only. This way to describe the permissions is clearer than the matrix, and you can clearly understand who can go where and why he has the authority to know (Han and Chewie can go anywhere on the ship because they belong to a group of crew members)

Summarize

Access Control Objects (ACOs) Permission-controlled objects are those that we need to control access to, such as Web pages, databases, or compartments.
Access Request Objects (AROs) Permission requirements objects are those objects that require permission to access, such as a person or a remote computer.
Aro tree defines the level structure of the Aro object and group. Groups can contain ARO objects or they can contain other groups.
Default on Aro tree is always denied access
Permission assignment principle, using certain methods to traverse the entire ARO tree, assigning specific permissions to the ARO or group for each occurrence of the ACO object

In this paper, the principle and basic concept of PHPGACL control are simply described, and the PHPGACL manual can be used for the deep gacl control principle.

