none
user verification

    Question

  •  

    I am tying to decide how I am going to do user verification. There will be a log in that will prompt the user for their username and password.

     

    I am planning on making a table called accounts that will contain the username and passwords. There will be only two types of users. There will be regular users and an admin. The table will contain a value that will represent the type of user. I am going to do something like 1 for admin and 2 for regular user.

     

    The appropriate method will be called after the user enters their value. If they are a regular user it will call the method that will then enable them to use the application. The admin will have all of the functionality of the regular user plus some additional things like entering a new employee.

     

    I think I am on the right track with this. I am wondering if anyone knows of any good articles or posts that deal with this type of thing. I would like to look at some more examples if ppossible.

     

                                                                  -thanks

    Sunday, January 06, 2008 4:22 PM

Answers

  • I am not aware of any articles, but I think your design is not scalable.
    What if later you decide to add more user groups with different permissions for each one of them?

    The most simple solution would be:
    - create a SECURITY_GROUP table (GRP_ID(PK), GROUP_NAME, GROUP_DESCRIPTION);
    This describes a user group

    -create a SECURITY_PERMISSION table (PERM_ID(PK), PERM_NAME, PERM_DESCRIPTION);
    This will describe various security permissions you might need.

    -create a SEC_GRP_PERMISSION(PERM_ID(FK), GRP_ID(FK)).
    This connects the security group with a security permission. You can easily add multiple permissions for the same group.

    -create a USER_GROUP table (USER_ID(FK), GRP_ID(FK))
    This connects user groups with actual users.
    This way you can add multiple users to a group and a user to multiple groups(therefore different sets of permissions)

    -finally, the user table should contain fields such as user id, password hash, and other things, but only user related.


    Once you have a username&pass, you authenticate against the user table and further obtain its group(s) from the USER_GROUP table, and further get it's permission from the SEC_GRP_PERMISSION table.

    Hope it helps.

    Regards
    Sunday, January 06, 2008 4:54 PM

  • Will the thread not be in the c# forum for other people to read and to respond to if it is closed?

    Of course it will, but it will be marked as answered. You should mark posts as answers only if they have really been answers for your problem.
    Anyone could further respond to it.

    Regards.
    Sunday, January 06, 2008 5:36 PM

All replies

  • I am not aware of any articles, but I think your design is not scalable.
    What if later you decide to add more user groups with different permissions for each one of them?

    The most simple solution would be:
    - create a SECURITY_GROUP table (GRP_ID(PK), GROUP_NAME, GROUP_DESCRIPTION);
    This describes a user group

    -create a SECURITY_PERMISSION table (PERM_ID(PK), PERM_NAME, PERM_DESCRIPTION);
    This will describe various security permissions you might need.

    -create a SEC_GRP_PERMISSION(PERM_ID(FK), GRP_ID(FK)).
    This connects the security group with a security permission. You can easily add multiple permissions for the same group.

    -create a USER_GROUP table (USER_ID(FK), GRP_ID(FK))
    This connects user groups with actual users.
    This way you can add multiple users to a group and a user to multiple groups(therefore different sets of permissions)

    -finally, the user table should contain fields such as user id, password hash, and other things, but only user related.


    Once you have a username&pass, you authenticate against the user table and further obtain its group(s) from the USER_GROUP table, and further get it's permission from the SEC_GRP_PERMISSION table.

    Hope it helps.

    Regards
    Sunday, January 06, 2008 4:54 PM
  • Thanks for the help. That makes sense.

     

    At the bottom of your post it says "Marcel N,-- Don't forget to close the thread by marking the correct post(s) as ANSWERED! "

     

    Will the thread not be in the c# forum for other people to read and to respond to if it is closed?

     

     

    .............................thanks again

     

    Sunday, January 06, 2008 5:32 PM

  • Will the thread not be in the c# forum for other people to read and to respond to if it is closed?

    Of course it will, but it will be marked as answered. You should mark posts as answers only if they have really been answers for your problem.
    Anyone could further respond to it.

    Regards.
    Sunday, January 06, 2008 5:36 PM