In addition to user authentication, user roles and fine-grained privileges are a key component of enterprise systems. In order to handle multiple administrators and user categories, scalable systems must be built with customizable access control so that each user will have access to what they need, and no access to what they don’t.
Although the concept is straightforward, implementation can be a challenge. Every back-end function on the application server should be secured, along with custom menus throughout the system based on user roles. In case permissions change and user access to a particular role is removed, the application must be built to verify roles at each REST request, or automatically log the user out based on a predefined timeout.
One method to simplify the implementation is splitting the task into two parts. First, at each page or system request, the user authentication program should populate an array of assigned roles for that user. The roles should be either strings or constants that are globally accessible throughout the system. Next, in each public-facing function call, the system should first verify against the role array that the user has the necessary access privileges before executing any instructions. In case of unauthorized access, the attempt should be logged and sent to the system administrator for review.
Since the division of roles can influence system architecture, user security should be considered during both the system design and development phases. This can be at odds with agile development techniques, which push functionality over thoroughness. The solution to this development dilemma can be a hybrid agile model, where security checkpoints are enforced at regular intervals throughout the programming process.
Unfortunately, although many frameworks do have a good foundation for user authentication, most lack a thorough and scalable implementation of roles and privileges. This often needs to be built on a per-application basis and implemented throughout each public-facing function call in the system. Join us in the next article in this series, where we compare deployment capabilities of various web frameworks.
Written by Andrew Palczewski
About the Author
Andrew Palczewski is CEO of apHarmony, a Chicago software development company. He holds a Master's degree in Computer Engineering from the University of Illinois at Urbana-Champaign and has over ten years' experience in managing development of software projects.
Google+