System permissions are important. Defining what people can and can't do with your application is a significant part of security.

There are two perspectives I tend to care about with permissioning. The first is user-orientated and the second is data-orientated. In this article I will talk about designing a user-orientated permission system.

For the purposes of this post a permission will be considered a boolean value that represents whether a person can or can't perform an operation. In other systems you might go as far as to consider the extent to which they have permission which ends up working like a priority based permissiong system. This is only really useful in my opinion if you've an operation two people can perform at once and you wish to provide a fine grained hints to the system as to who should have the operation performed first. It's something to consider but usually unnecessary and out of the scope of this article.

Users and user-level permissioning

In a user-orientated permission system what we care about is what users can do with our system as a whole. Example permissions under this context include CanCreateUsers, CanViewUsers, CanUpdateUsers, CanDeleteUsers, CanInitiateReconciliation, etc.

Concepts that exist in this permission system include:

  • User
  • PermissionSet

The relationship between these concepts can be described as a one-to-one as every user should have a set of permissions (even if all those permissions are set to false!). At this point we can make a decision that because our permissioning system is simply we can combine these concepts into one system entity. This entity is described in the following ER diagram.

user-level permission ERD

User groups and group-level permissioning

This will work well for simply systems with a few users. What happens when our systems become more complex and busy. Let's say that our system has so many users that we want to permission groups of them at a time. This might be by their role in the system or simply that an identified collection of users will always need the same permissions. We can create the concept of a UserGroup which defines global attributes available to all Users such as permissions.

Now we have three concepts of note.

  • User
  • PermissionSet
  • UserGroup

Since none of these can be combined we end up with a structure that is described in the following ER diagram.

group-level permission ERD

The relationship between UserGroup and User is a one-to-many. One UserGroup can have many Users. In this case we can note that the relationship between UserGroup and PermissionSet is a one-to-one relationship. We could combine these into a single UserGroup entity as we did in the previous structure. However if we keep them separate we can allow fine grain control over the user permissions.

User groups and user-level permissioning

Shown below we have created a subset of permissions specific to the user. This allows the UserGroup entity to take on a more simple role-based function within our application. Used to set blanket default permissions over a large collection of users that can then be fine tuned for a single user without having to create a new very-simplier but specialised UserGroup just for that single user.

user-Level and group-level permission ERD

You can see here how a user has a one-to-one relationship with a permission set and that a user group has a one-to-one relationship with a permission set. The relationship between user group and user remains one-to-many. In cases where we don't care about specific user permissions we decide to allow User.userPermissionSetId to be null as indicated by the empty white circle on the relationship between user and permission set. In the application there must be some logic to determine which permission set to use. If userPermissionSetId is null then follow through the user group to find the permission set.

Imagine this scenario. A user is set into a user group with no specific user-level permissions. The administrator then gives the user specific user-level permissions. At a later date the administrator alters the permissions of the user group. Since the user has specific user-level permissions these changes don't affect the user. This could probably be a problem in that it defeats the point of user groups. To keep the relevance of user groups after a user has been given user-level permissions we allow that our permissions in the permission set may be null. What this means to our application logic is that if a user-level permission is null then look for that permission at group-level regardless of whether user-level permissions were assigned as a whole. If we get up to group-level and find a null we just assume false for safetys sake.

Example program logic that resolves these permissions:

class PermissionSet:
    canCreateUsers            = None
    canViewUsers              = None
    canUpdateUsers            = None
    canDeleteUsers            = None
    canInitiateReconciliation = None
 
class UserGroup:
    permissions = None
    def __init__(self, permissions):
        # This object can only be constructed if it gives permissions since the relationship between user group and permission set is mandatory
        self.permissions = permissions
 
class User:
    group = None
    permissions = None
    def __init__(self, group, permissions = None):
        # This object can only be constructed if it gives a group since that relationship between user and user group is mandatory
        # User-level permissions are option and default to not-set
        self.group       = group
        self.permissions = permissions
 
    def has_permission(self, permission_name):
        """Returns true if this user has the named permission. False or None otherwise."""
        value = None
        if self.permissions is not None:
            # We've defined user-level permissions
            value = getattr(self.permissions, permission_name)
 
        if self.permissions is None or value is None:
            # Either we didn't define user-level permissions or we have no user-level permissions
            value = getattr(self.group.permissions, permission_name)
 
        return value

If you want to see the above functional structure in action you can use the following code for demonstration.

p1                           = PermissionSet()
p1.canCreateUsers            = True
p1.canUpdateUsers            = True
p1.canViewUsers              = True
p1.canDeleteUsers            = False
p1.canInitiateReconciliation = False
 
p2                           = PermissionSet()
p2.canCreateUsers            = False
p2.canInitiateReconciliation = True
 
group                        = UserGroup(p1)
user1                        = User(group)     # Using the default group-level permissions
user2                        = User(group, p2) # Using mostly group-level permissions but with user-level refinements
 
print "User1 canCreateUsers =", user1.has_permission("canCreateUsers") # True
print "User2 canCreateUsers =", user2.has_permission("canCreateUsers") # False
 
group.permissions.canCreateUsers = False # Change group-level permissions
print "User1 canCreateUsers =", user1.has_permission("canCreateUsers") # False
print "User2 canCreateUsers =", user2.has_permission("canCreateUsers") # False

Now we have a pretty flexible user-orientated permission system. It can be made even more reflexible if you allow users to have multiple groups or roles but when we get to this level of flexibility we introduce the concept of conflict resolution.

Imagine if you will a user with two roles, user manager and reconciliation administrator. The former role has the first four permissions set to true and canInitiateReconciliation remains null. The latter role has canInitiateReconciliation permission set to true but the rest to null. This is fine as is but what were to happen if somebody decided that the user manager role can definitely not initiate reconciliation and sets that permission to false? We end up with two permission sets for our user with a contradicting setting for canInitiateReconciliation. One possibly resolution is to simply say that if any role permission is true, then the user has permission to perform that operation. This decision lies in the application designer and out of the scope of this artile.

Generalising to hierarchical user entities

It would be nicer if we could create a hierarchy of permission levels rather than the two level system we had before where only user-level and group-level existed. To do this we generalise the concept of what a user and group is to what I'm going to call a user entity. Simply put the entity model can have a single parent and permissions set at any level of the entities parentage. You could then organise your permission scheme into a tree where the terminal leafs represent the users themselves. An example instance view could be a small business where the following diagram describes the users and groupings that exist.

Sample organisation permission hierarchy

Here we see that Randall and Doug are both part of the London development group, Andrew is part of the London sales group, Joey is part of the New York marketting group and Nigel is part of the New York branch of Example Enterprises. Each of these users inherit the permissions of their parent groups all the way to the very root group.

This allows us greater flexibility about how we organise and inherit permissions. Allowing us to specialise permissions near the bottom and generalising permissions near the top. For instance in the organisation hierarchy the overall policy of the company might deny everything except read permissions. The London development division might grant full permissions to faciliate their business role. The London Sales division might need to update records only so with inheritance they can read and update. Perhaps the marketting department are responsible for initiating a reconciliation but have no other interest in the system. They can enable reconciliation and disable read access.

In order to archieve this we can modify our system to the following:

entity permission system ERD

We generalise both users and groups of users to simply be some sort of user entity that has permissions associated with it. We define users to be entities where no other entity inherits from them. We define groups to be entities that are referred to by at least one other entity. In reality in order to support empty groups we'd need some sort of flag to define the entity as a user or group.

The end result of this generalisation allows us to create this implementation of a hierarchical user-orientated permissioning system that supports permission inheritance.

class PermissionSet:
    """A set of permissions. Must be inherited and availablePermissions defined."""
 
    # This is a list of the names of the available permissions
    availablePermissions = []
 
    def __init__(self):
        """Constructor."""
        self.permissions = dict()
        for perm in self.availablePermissions:
            # Initialise all permissions to undefined
            setattr(self, perm, None)
 
 
    # __setattr__ is just needed for ease of use in Python to allow the usage of PermissionSet().somePermissionName = True
    def __setattr__(self, name, value):
        """Set attribute."""
        if name in self.availablePermissions:
            # Set a permission value
            self.__dict__["permissions"][name] = value
        else:
            # This is needed for internal operation of this class
            self.__dict__[name] = value
 
 
 
    # __getattr__ is just needed for ease of use in Python to allow the usage of print PermissionSet().somePermissionName
    def __getattr__(self, name):
        """Get attribute."""
        if name in self.availablePermissions:
            # Get a permission value
            return self.__dict__["permissions"][name]
        else:
            # This is needed for internal operation of this class
            return self.__dict__[name]
 
 
    # __str__ is just needed to display all the permissions this set represents neatly as a string.
    def __str__(self):
        """Return all available permissions and their current values."""
        return "\n".join(["  %s = %s;" % (k, v) for (k, v) in self.permissions.items()])
 
 
 
class UserEntity:
    """An abstract hierarchical user entity."""
 
    def __init__(self, name, permissionSetClass, permissions = None, parent = None):
        """Constructor."""
        self.name               = name               # The name of this entity.
        self.permissions        = permissions        # A permission set instance. This should be of the same type as permissionSetClass or None.
        self.parent             = parent             # The parent object for this entity.
        self.permissionSetClass = permissionSetClass # The permission set that this identity references.
 
 
 
    def get_aggregate_permissions(self, aggregate = None, undefinedList = None, visited = None):
        """Returns an aggregate set of permissions. These represent the actual permissions this entity has in total."""
 
        if visited is None:
            # This is used to guard against cyclic relationships and infinite recursion
            visited = list()
 
        if aggregate is None:
            # Construct our aggregate permission set
            aggregate = self.permissionSetClass()
            # Make a copy of the available permissions
            undefinedList = list(aggregate.availablePermissions)
 
        if self.permissions is not None:
            # If we have some level specific permissions copy them into the aggregate.
            newUndefined = list(undefinedList)
            for k in undefinedList:
                v = getattr(self.permissions, k)
                if v is not None and getattr(aggregate, k) is None:
                    # k is set at this level and hasn't been set at a lower level
                    setattr(aggregate, k, v)
                    newUndefined.remove(k) # k is now defined
            undefinedList = newUndefined # Update what permissions remain undefined
 
        if self.parent is not None and self.parent not in visited and undefinedList:
            # This isn't a top level entity and our parent hasn't previously been visited.
            return self.parent.get_aggregate_permissions(aggregate, undefinedList, visited)
        else:
            # There is absolutely no more definitions for this aggregation at any level in the hierarchy
            return aggregate
 
 
    def has_permission(self, permission_name, visited = None):
        """Returns True if this entity has permission, False if this entity does not have permission and None if permission is undefined for this entity."""
 
        value = None
        if visited is None:
            # This is used to guard against cyclic relationships and infinite recursion
            visited = list()
 
        if self.permissions is not None:
            # We have our own set of level specific permissions.
            # Check if we've got a value for the named permission.
            value = getattr(self.permissions, permission_name)
            if value is not None:
                # We've a level specific value for this permission, return it.
                return value
 
        if self.parent is not None and self.parent not in visited:
            # This isn't a top level entity and our parent hasn't previously been checked for the permission.
            # Let's defer the decision of this permission to our parent.
            return self.parent.has_permission(permission_name, visited)
        else:
            # There is absolutely no definition for this permission at any level in the hierarchy
            return None
 
 
    # __str__ is just needed to display all the permissions this entity defines neatly as a string.
    def __str__(self):
        """Return a printable string for this entity."""
        return "%s '%s' {\n%s\n}" % (self.__class__.__name__, self.name, self.get_aggregate_permissions())
 
 
 
class UserGroup(UserEntity):
    """This class provides a concrete type for a user entity that represents a group."""
 
    def __init__(self, name, permissionSetClass, permissions, parent = None):
        """Constructor."""
        UserEntity.__init__(self, name, permissionSetClass, permissions, parent)
 
 
 
class User(UserEntity):
    """This class provides a concrete type for a user entity that represents a user.
    The only requirement for this qualification is that no other entities reference this object as a parent."""
 
    def __init__(self, name, permissionSetClass, group, permissions = None):
        """Constructor."""
        UserEntity.__init__(self, name, permissionSetClass, permissions, group)

Example usage of this code is given below.

class ExamplePermissionSet(PermissionSet):
    """This is a specific set of permissions."""
 
    availablePermissions = ["canCreateUsers",
                            "canViewUsers",
                            "canUpdateUsers",
                            "canDeleteUsers",
                            "canInitiateReconciliation",
                            "neverDefined"]
 
 
 
class ExampleUserGroup(UserGroup):
    """A specific user group class that uses ExamplePermissionSet."""
 
    def __init__(self, name, permissions, parent = None):
        UserGroup.__init__(self, name, ExamplePermissionSet, permissions, parent)
 
 
 
class ExampleUser(User):
    """A specific user group that uses ExamplePermissionSet."""
 
    def __init__(self, name, group, permissions = None):
        User.__init__(self, name, ExamplePermissionSet, group, permissions)
 
 
 
p1                           = ExamplePermissionSet()
p1.canInitiateReconciliation = False
p1.canDeleteUsers            = False
p1.canCreateUsers            = True
p1.canUpdateUsers            = True
p1.canViewUsers              = True
 
p2                           = ExamplePermissionSet()
p2.canInitiateReconciliation = True
 
p3                           = ExamplePermissionSet()
p3.canViewUsers              = False
p3.canCreateUsers            = False
 
supergroup                   = ExampleUserGroup("SuperGroup", p1)
group                        = ExampleUserGroup("Group", p2, parent = supergroup)
user1                        = ExampleUser("User 1", group)     # Using the default group-level permissions
user2                        = ExampleUser("User 2", group, p3) # Using mostly group-level permissions but with user-level refinements
 
all = [supergroup, group, user1, user2]
 
for e in all:
    print e
print "user1 canDeleteUsers =", user1.has_permission("canDeleteUsers")
print "-" * 30
 
 
group.permissions.canDeleteUsers = True # Change group-level permissions this should filter down to user1
 
for e in all:
    print e
print "user1 canDeleteUsers =", user1.has_permission("canDeleteUsers")
print "-" * 30

That's all folks! If I get motiviated I'll discuss data-orientated permissioning and the use of access control lists.