I'm developing a small site. It has a Product page on where users can perform CRUD functionality with some exporting, uploading etc. actions. I'm configuring the page level actions in a table. Actions are like ProductView, ProductDetailsView, ProductInsert, ProductUpdate, ProductDelete, ProductExport, ProductUploadViaFile etc.
I'm developing role based on action level on pages. Like Role1 has permission to menu Product.php and it has action permission of ProductView and ProductInsert on that page. Suppose user1 has role Role1.
When user1 is going to the page Product.php and then I'm checking its action permission. If he has ProductView I'm showing the product table to the user1. I'm finding that the code is pretty much hard coded in the javascript/php level. like
foreach($useractions in $useraction){
if($useraction == 'ProductView'){
//show the product page....
}
if($useraction == 'ProductInsert')
{
//show create button
}
}
Looks like I have to create a lot more code when there is action level permissions. Again in case of another action insert I have to change the UI level coding again. I hope there is a better way to do this. Any suggestions will help a lot.
You want to externalize the authorization logic from your application so that:
The main standard in that space is XACML, the eXtensible Access Control Markup Language. Have a look at the OASIS XACML webpage and Wikipedia for more information.
XACML gives you the notion of an enforcement point (PEP) or interceptor. That PEP reaches out to the authorization engine or policy decision point (PDP). The PDP considers its policies and eventually reaches a decision (either permit or deny).
For instance:
I hope this helps.