An Access control list or ACL is used to make access control for each of the logins and handle security of the app.
For example, ACL handles menu level permission access and function or module level access permission. When a subject requests an operation on an object in an ACL-based security model the operating system first checks the ACL for an applicable entry to decide whether the requested operation is authorized. A key issue in the definition of any ACL-based security model is determining how access control lists are edited, namely which users and processes are granted ACL-modification access. ACL models may be applied to collections of objects as well as to individual entities within the system’s hierarchy.
ACL basically handles 2 things:
ARO(Access Request Object):
Aros are of usergroups and users. Each of the users are mapped to aros to know the group he belongs to.
ACO(Access Control Object):
Aros are of menus and modules. Where every usergroup will have permissions to access each of these menus and modules.
Essentially, ACL is what is used to decide when an ARO can have access to an ACO.
In order to help you understand how everything works together, let’s use a semi-practical example. Imagine, for a moment, a computer system used by a familiar group of fantasy novel adventurers from the Lord of the Rings. The leader of the group, Gandalf, wants to manage the party’s assets while maintaining a healthy amount of privacy and security for the other members of the party. The first thing he needs to do is create a list of the AROs involved:
- Gandalf
- Aragorn
- Bilbo
- Frodo
- Gollum
- Legolas
- Gimli
- Pippin
- Merry
The next thing Gandalf needs to do is make an initial list of things, or ACOs, the system will handle. His list might look something like:
- Weapons
- The One Ring
- Salted Pork
- Diplomacy
- Ale
Traditionally, systems were managed using a sort of matrix, that showed a basic set of users and permissions relating to objects. If this information were stored in a table, it might look like the following table:
| Weapons | The Ring | Salted Pork | Diplomacy | Ale | |
|---|---|---|---|---|---|
| Gandalf | Allow | Allow | Allow | ||
| Aragorn | Allow | Allow | Allow | Allow | |
| Bilbo | Allow | ||||
| Frodo | Allow | Allow | |||
| Gollum | Allow | ||||
| Legolas | Allow | Allow | Allow | Allow | |
| Gimli | Allow | Allow | |||
| Pippin | Allow | Allow | |||
| Merry | Allow |
Permissions are defined in arosacos. Where it is mapped to both aros and acos.
DB tables aros, acos and aros_acos will be generated automatically by using the command->
cake schema run create DbAcl db structure of aros looks like-> +-------------+--------------+------+-----+---------+----------------+ | Field | Type | Null | Key | Default | Extra | +-------------+--------------+------+-----+---------+----------------+ | id | int(10) | NO | PRI | NULL | auto_increment | | parent_id | int(10) | YES | | NULL | | | model | varchar(255) | YES | | NULL | | | foreign_key | int(10) | YES | | NULL | | | alias | varchar(255) | YES | | NULL | | | lft | int(10) | YES | | NULL | | | rght | int(10) | YES | | NULL | | +-------------+--------------+------+-----+---------+----------------+ db structure of acos looks like-> +-------------+---------------+------+-----+---------+----------------+ | Field | Type | Null | Key | Default | Extra | +-------------+---------------+------+-----+---------+----------------+ | id | int(10) | NO | PRI | NULL | auto_increment | | parent_id | int(10) | YES | | NULL | | | model | varchar(255) | YES | | NULL | | | foreign_key | int(10) | YES | | NULL | | | alias | varchar(255) | YES | | NULL | | | url | varchar(255) | YES | | NULL | | | ismenu | enum('Y','N') | YES | | NULL | | | order | int(2) | YES | | NULL | | | lft | int(10) | YES | | NULL | | | rght | int(10) | YES | | NULL | | +-------------+---------------+------+-----+---------+----------------+ db structure of aros_acos looks like-> +---------+------------+------+-----+---------+----------------+ | Field | Type | Null | Key | Default | Extra | +---------+------------+------+-----+---------+----------------+ | id | int(10) | NO | PRI | NULL | auto_increment | | aro_id | int(10) | NO | MUL | NULL | | | aco_id | int(10) | NO | | NULL | | | _create | varchar(2) | NO | | 0 | | | _read | varchar(2) | NO | | 0 | | | _update | varchar(2) | NO | | 0 | | | _delete | varchar(2) | NO | | 0 | | +---------+------------+------+-----+---------+----------------+ Under aros: A usergroup can be mapped to parent usergroup using parent_id. User can be mapped to the group in aros itself by using model as "User" where it mapped to users table and foreign_key will have the user id. and parent_id will be usergroup id which is the parent of aros itself. acos: acos also can be mapped to parent aco using parent_id. aros_acos: Permission access for add, view, edit and delete for each of acos is set here using aro_id and aco_id. aro_id is mapped to aros and aco_id is mapped to acos.
For highly competitive pricing and excellent web hosting support services contact InstaCarma today!
