Encrypting Data - Level Extreme

Plateforme Level Extreme

Abonnement

Profil corporatif

Produits & Services

Support

Légal

English

Encrypting Data

Message

08/10/2009 12:29:41

Viv Phillips
Hay-On-Wye, Royaume Uni

08/10/2009 12:00:24

Kevin Marois
Marois Consulting
Winchester, Californie, États-Unis

Information générale

Forum:

Microsoft SQL Server

Catégorie:

Conception bases de données

Titre:

Re: Encrypting Data

Divers

Thread ID:

01428109

Message ID:

01428292

Vues:

Hi,
I don't think there is a standard. The simplest pattern, if it will fit for your application, is to only allow a user to be in *one* role/group.
If a user can be in more than one group then more logic is needed to determine what permission should apply (usually based on the role with the most freedom)

How you assign access levels to roles will also depend on your application. I currently just have two settings for UIItems: Hidden (so they don't appear on the form) or Disabled/ReadOnly.

Do you envisage a setup where the end-user (if acting as an 'Administrator') will be able to create and configure roles to suit their own circumstances or will you create fixed roles and only allow them to add and assign users?

FWIW, the structure I'm working with is:

Users  <-- UserRoles --> Roles <-- Permissions --> Items

UserRoles is just a M-M link table. Permissions ditto but with an extra field specifying the permission level.

Regards,
Viv

>Ok, I see.
>
>From what I can see there are various design patterns for app security. Any thoughts on what the standard is?
>
>
>
>
>>Hi,
>>
>>In my case the 'normal' db will be MS SqlServer. But I've kept all the hash/compare logic out of the data layer and SQLServer itself so nothing would need to be changed if a different back end was used.
>>HTH,
>>Viv
>>
>>>>>(a) To handle the encryption in a tier that will make it back-end agnostic.
>>>Not sure what you mean by this. Please explain.
>>>
>>>
>>>
>>>>>I'm putting together some table to manage users, roles, and rights.
>>>>>
>>>>>Anyone see any problems with encrypting all the data in all three tables?
>>>>
>>>>I'm working on a similar thing at the moment. Your needs are probably different but I decided:
>>>>(a) To handle the encryption in a tier that will make it back-end agnostic.
>>>>(b) To only secure the password - and then by hash value rather than encryption.
>>>>
>>>>FWIW, here's the class I use for hashing/comparing.

    static public class HashFunctions
>>>>    {
>>>>        public static Byte[] GetHashValue(string s)
>>>>        {
>>>>            byte[] source = ASCIIEncoding.ASCII.GetBytes(s);
>>>>            return  new MD5CryptoServiceProvider().ComputeHash(source);
>>>>        }
>>>>
>>>>        public static bool CompareHash(byte[] first, byte[] second)
>>>>        {
>>>>            bool equal = false;
>>>>            if (first.Length == second.Length)
>>>>            {
>>>>                int i=0;
>>>>                while (i < first.Length && (first[i] == second[i]))
>>>>                    i++;
>>>>                equal = i == first.Length;
>>>>            }
>>>>            return equal;
>>>>        }
>>>>
>>>>        public static bool CompareHash(byte[] b,string s)
>>>>        {
>>>>            return CompareHash(b, GetHashValue(s));
>>>>        }
>>>>    }

The password is stored as a byte array (varbinary() in MSSQL)

Répondre

Fil

Voir

Click here to load this message in the networking platform