Best Role-Based Access Control (RBAC) database model

ruby-on-rails permissions roles access-control rbac

JasonSmith · Oct 10, 2008 · Viewed 44.4k times · Source

What is the best database schema to track role-based access controls for a web application?

I am using Rails, but the RBAC plugin linked by Google looks unmaintained (only 300 commits to SVN; latest was almost a year ago).

The concept is simple enough to implement from scratch, yet complex and important enough that it's worth getting right.

So how do others architect and implement their RBAC model?

Answer

To my rather basic knowledge in that area, the basic actors of an RBAC are:

Resources.
Permissions.
Users.
Roles (i.e. Groups).

Resources <- require -> (one or many) Permissions.

Roles <- are collections of -> (one or many) Permissions.

Users <- can have -> (one or many) Roles.

The tables for such a model would be:

permission
role
user
role_permission
user_role

Now you might want to include resources here as well if you want users of your application to be able to configure which permissions a resource need. But I never needed that. Hope that helps.

Best Role-Based Access Control (RBAC) database model

Answer

Related questions