Implementing Organization Permissions in SQL Server – Basic Tables

By -

The diagram below shows our starting tables (which will evolve).

 

image

 

Fine level Access Rights  are grouped into Roles through [RoleAccess]. A user is given a role on an organization unit in a specific hierarchical tree through [UserOrganizationRole].

 

The Organization Tree are kept correct by triggers that check any new insert against the allowed patterns stored in OrganizationTypeHierarchy. This will be our first piece of real TSQL

 

CREATE TRIGGER tr_OrganizationTree_Upsert
   ON  OrganizationTree
   AFTER INSERT,UPDATE
AS 
BEGIN
    SET NOCOUNT ON;
    IF (Select Count(1) FROM OrganizationTree INSERTED)
    <>
    (SELECT Count(1)
    FROM OrganizationTree INSERTED
    JOIN Organization Parent
    ON ParentOrganizationID=Parent.OrganizationID
    JOIN Organization Child
    ON Inserted.OrganizationID=Child.OrganizationID
    JOIN OrganizationTypeHierarchy
    ON Parent.OrganizationTypeID=ParentOrganizationTypeID
    AND Child.OrganizationTypeID=OrganizationTypeHierarchy.OrganizationTypeID
    AND OrganizationTypeHierarchy.TreeID=Inserted.TreeID)
    BEGIN
        RAISERROR('Organization Tree upsert is invalid',16,1)
        ROLLBACK
    END
END
GO

What we are doing is taking the parent/child organizational units and looking up their types.  We then see if these types of organizations may be parent/child in the specific tree.

 

At the top of the trees, we have the ParentType and ChildTypes being the same which allows the top of the organization tree to be an organizational unit that is it’s own parent. This approach is actually helpful to locate hierarchical roots with OrganizationId=ParentOrganizationID.

 

Our first modification will be to RoleTypeDef.

  • We will add a Bit indicating if the Role applies to:
    • the Organizational Unit OR
    • the Organizational Unit and all of it’s children in the specific tree.
  • We will assume that we will have < 127 different Access Rights (usually enough for most practical applications) and create two BIT MASKED columns of 64 bits which will be done as a BIGINT (instead of VARBINARY etc) because it is easier to manipulate in TSQL.

So the revised table is:

image

What we need to do next is update the bitmasks whenever a change happens in RoleAccess table. to do this we need to use a little function to convert our AccessRightID to a bit mask.

CREATE FUNCTION GetBitMask( @bitposition SMALLINT)
RETURNS BIGINT
AS
BEGIN
DECLARE @results BIGINT
SET @results = 1
WHILE @bitposition > 0
BEGIN
  SET @results = @results * 2
  SET @bitposition = @bitposition -1
END
RETURN @results
END

We now add equivalent to AccessRightDef

image

and add a trigger to update these two new columns from the value in AccessRightID.

CREATE TRIGGER [TR_AccessRight_Insert]
   ON [AccessRightDef]
   AFTER INSERT
AS 
BEGIN
    SET NOCOUNT ON;
UPDATE AccessRightDef
    SET BitMask= dbo.GetBitMask( (AccessRightID % 63)),
        MaskNo=AccessRightID/63
    WHERE AccessRightID IN (SELECT AccessRightID FROM INSERTED)        
END

We calculate the bitmask once per AccessRight for performance gain.

 

The next trigger recalculates all Roles Bit Masks whenever there is a change. Since Roles tend to change very slowly – there should be little performance impact.

 

CREATE TRIGGER [TR_RoleAccess_Upsert]
   ON [RoleAccess]
   AFTER INSERT,UPDATE,DELETE
AS 
BEGIN
    SET NOCOUNT ON;
UPDATE RoleTypeDef
    SET BitMask1=RevBitMask  
FROM   
(SELECT RoleTypeID AS RID, SUM(ARD.BitMask) AS RevBitMask
FROM AccessRightDef ARD
JOIN RoleAccess RA
ON ARD.AccessRightID = RA.AccessRightID
WHERE MaskNo=0
GROUP BY RoleTypeID) Revised
JOIN RoleTypeDef
ON RID = RoleTypeDef.RoleTypeID

UPDATE RoleTypeDef
    SET BitMask2=RevBitMask  
FROM   
(SELECT RoleTypeID AS RID, SUM(ARD.BitMask) AS RevBitMask
FROM AccessRightDef ARD
JOIN RoleAccess RA
ON ARD.AccessRightID = RA.AccessRightID
WHERE MaskNo=1
GROUP BY RoleTypeID) Revised
JOIN RoleTypeDef
ON RID = RoleTypeDef.RoleTypeID
END

That’s it for today. We now have Roles that have bit masks of access rights (we have two columns for bitmasks but can easily add more) that are automatically maintained by triggers.

Comments

Post a Comment

Popular posts from this blog

Yet once more into the breech (of altered programming logic)

By -
Once upon a time, long long ago, I wrote 8-bit programs in Tiny-C with absolute addressing being the only reality.  Then we had Borland Turbo-C with relative addresses and the joys of relative assembly jumps. Enter Windows and the joys of locking and unlocking memory blocks that you must allocated and manage yourself. Then came Visual Basic which evolved into .Net CLR and decreasing awareness of what is happening under the hood.   With VS2010 including F# and enhanced parallelism in .Net4, we actually have to go retro a bit – back to the world of having to understand the hardware. CPU speeds are no longer increasing – I have an old laptop from six+ years ago that ran at 3.2 GHz. This year I updated one of my machines off-the-shelf from Costco.com, an I7-920 with 4 cores and hyper-threading (8 CPUs appears in Task Manager) and 12 GB of DDR3 RAM. This week I ordered from Costco a Phenom II X6 (Yes – 6 REAL CORES) for one of my daughters.  This CPU will (according to YouTube demos) o
Read more

Simple WP7 Mango App for Background Tasks, Toast, and Tiles: Code Explanation

By -
Image
This is a continuation of this post , explaining how the sample app works. Caution : This sample isn’t meant as an example of best patterns and practices. If you see something in the code you would never do, then don’t. Solution File Organization The app has three Visual Studio Projects: the app, the agent, and the shared code library between them. One of the great things about Mango is that now the built-in Visual Studio Unit test functionality is available. By separating out the meat of the work into the SampleShared project, I can also focus my unit testing there. SampleApp1 The app has a MainPage, a ViewModel, and the WMAppManifest.xml file modified to note my ExtendedTask of BackgroundServiceAgent. The Agent is extremely simple with a call to the shared library, an update to the Tile, and a call to pop up Toast. The meat of the work is in the SampleShared library. The AgentMgr manages the background agent : add, remove, find, run now. It is only called f
Read more

How to convert SVG data to a Png Image file Using InkScape

By -
Image
Introduction The project required the need to put the visual pie chart on a web page on the client and in a Pdf file created on the server. I eventually choose to use a Telerik Kendo DataViz Chart control on the client, and use a PNG file on the server for the Pdf file. This blog post will explain the process and code to convert the client-side pie chart Svg data to a Png file, and provide a download to the working code. Prerequisites You need to have a trial version of the Telerik Kendo library installed in order to make the sample code work. You also need InkScape installed. InkScape is the application that does the actual conversion. You will need to change the Web.config appSetting of “ExeDirectoryForInkscape” to represent your own installation location. Any SVG Data Will Work The pie chart was created using the Telerik Kendo DataViz chart control. While I name a specific control, as long as you have access to the SVG data, the same conversion process on the server will
Read more