Just looking for some advise on how I could store if a user has permissions to do a certain task.
The way the project is laid out is there are lots of "section" and then there are multiple permissions associated within that section.
For example
Management section permissions
can delete
can add
can move
Creation section permissions
can create
can createbigger
can createbest
Each user can have any of these permissions and does not require the previous permission in order to have it
Probably not the best example but I cant think of anything
I was thinking of having a system using intergers kinda like linux's permission system but was wondering what other people would recommend sorry if my question is not very clear.
Thanks!
Forgot to mention I indtend of storing the permissions in a database!
Related
I'm looking for a PHP script that will allow me to easily manage 'MySql' tables. By managing I mean not their creation but the possibility of adding new records, modifying and deleting them.
It must be possible to specify for each user which tables he will have access to and with which modalities (insertion only, modification only, etc.).
For each user I will also have to specify whether he will be able to see all or some of the columns in the table and with which permissions.
Also I'll need to know who did what, a sort of global change LOG.
My idea was to have a back-end in which I specified the users and how to access the various tables/columns and a front-end for the users.
In the front-end users will be able to add/modify/delete records and data they are allowed and the ability to filter and/or sort the various records.
I know I could use some PHP frameworks or rely on CMS but I have to write a lot of code by hand and it seems hardly credible that such a product is not already available.
Does anyone know if there is something like this?
I had tried starting with PHP frameworks but implementing everything from scratch stopped me.
I expect there is already something available.
Thanks.
Davide.
I want one of my Linux users to be able to see the size of table files in /var/lib/mysql/[db]/..., but these dirs are owned by mysql:mysql and everyone does not have read access. Is it safe to add a normal user to the mysql group?
All things about security that I learned is about give access Only if it's absolutely necessary. Said that, you can think convenient to give them only read permissions, and for that, create new roles:
MySQL - How to grant read only permissions to a user?
And if the users need to read the file (only the system file), you'll be opening the archives for their by making a specific group with the right permissions. And yes, is convenient, less secure, but resolve your problem.
I have an existing Laravel application with various functions, controllers, authentication, middleware, CRUD, admin functionality, and more. I want to be able to deploy this application onto some hosting and have others view all of the pages, but I do not want them to be able to edit or create values in the database. So, for example, while I have CRUD for all of the resources, I want them to be able to read all of the resources but not edit, create, or delete anything. I also want them to not have to register/login, but I know how to fix that.
I have tried LOCK TABLE [tablename] READ in MySQL, but that does not seem to have done anything. Currently, my only other idea would be to go through and set ifs checking if the user is authenticated to save database interactions, but this would be a little laborious.
Is there any feasible or simpler way of doing this? Thanks for any help.
I've searched for an answer to this and all I can seem to find are questions asking whether it is better to use multiple databases or multiple tables in a single database. This isn't my question though.
QUESTION 1.
I want to set up a new database alongside my current DB and don't know how. I want to give a user full admin access to DB2 without seeing DB1. This way I can host a friend's site and they can create and delete as many tables as they want without disturbing my own DB. I could also use it for demo sites that aren't secure and shouldn't exist inside my primary DB.
I figure I could do this pretty easily with a virtual machine and run a separate instance of MySQL but my resources are limited so that isn't really an option.
I'd like to set this up in one of 2 ways. I would prefer to have "server.example.com" host both DBs and open the proper DB based on user login. If not I could do it routing to server1.example.com and server2.example.com.
QUESTION 2.
If this isn't possible I'd like to know how to properly set up restricted access to a single DB in sequel pro. I have been messing around with it and so far prefer it to PHPMyAdmin. For some reason if I set up a new user with no permissions they have full access to my 'information_schema' and 'test' tables but can't create new tables. I don't want other users to access these tables though and I want them to be able to set up their own tables. I'd like to set it up so a new user can create a limited number of tables and only see and edit those tables. I can't seem to find information on this either.
Even if my first question is possible I'd like to know the answer to question 2. I've been searching for a long time and can't find reliable information anywhere. Maybe my brain is just tired...
You can set up multiple instances of mysql but for your situation you are better off creating different databases within the same instance.
You can create databases and then add users that only have access to manipulate the database they are given and nothing else.
Essentially the heirarchy is as follows:
Mysql (root or any other super user can see everything)
- Your DB
- Your Users
- Your tables/functions/Procedures/etc
- Their DB
- Their Users
- Their tables/functions/procedures/etc.
You basically separate the access for each, and in PHPMyAdmin it is very easy. The steps are:
Add Database )
Add User, restricting them to that database allowing only priveleges you want to give to that user and only to that database. (Guide here)
You can grant access to different database to different user using GRANT in MySQL.
https://dev.mysql.com/doc/refman/5.1/en/grant.html has the information you need.
The most simple you can do is
CREATE DATABASE db_for_user_a
CREATE DATABASE db_for_user_b
GRANT ALL PRIVILEGES ON db_for_user_a.* TO user_a IDENTIFIED BY 'user_a_s_password'
GRANT ALL PRIVILEGES ON db_for_user_b.* TO user_a IDENTIFIED BY 'user_b_s_password'
You are going to need to provide more information about your set up to answer this question of setting up multiple databases specifically.
Servers typically have methods to create multiple databases with software that is designed specifically to run on those platforms (Apache, and Windows server are a couple servers that can run software like WAMP or phpMyAdmin to manage these databases).
And in answer to the permissions: Yes, you can designate users that can have specific privileges on one, both, or neither of the databases. But, you can also set up table-specific roles and actions as well. This is more obvious with Microsoft's management studio though, where Mysql you may want to use something like Mysql Workbench initially.
On cPanel, for example, you can add a new database if your host allows it. On windows, you'll have to use other tools to set up a new database.
In answer to your first inquiry, each database requires its own connection, and there are database-wide operations that you can do such as migration and backups. A rule of thumb is to only keep entirely separate data in different databases, unless there is absolutely a reason to separate types of information into a different kind of database for efficiency. Typically, you do not relate data between different databases except for much more complex situations.
You can create separate databases and use them separately in sequel pro, I believe. Most platforms have an option to create a new db in the databases list.
Well I think I was confusing some stuff here. I apologize for that. I was calling databases 'tables'.
I was wanting to allow users to create new databases but not see the ones that others create. I think I can make this work by just limiting permissions and allowing users to access one or two databases.
It seems like PHPMyAdmin has some easier to use options than Sequel Pro. I've only briefly used it in the past but I'll give it another shot.
As for command line stuff, I love being able to work in command line but I don't know all the commands so it makes things generally difficult to figure out and the man pages weren't all that helpful.
Thank you for your answers and I'm sorry for my newbie questions.
I'm working on logs for a customer service application. Another guy who is not a very experienced developer is working on other things, but we're both in the same database. He has some friends that work in Customer Service. I don't think he'd delete logs, but I want to be sure that if logs were deleted, we'd know about it.
Is it possible to get an email if a row is deleted, can I make a backup of that row in another database somewhere of the "deleted" data if it was deleted...... what are my options?
Or better yet.... what do you do?
Update
Part of the issue here is that there is no "programming" or "development" manager. The company has 25 employees - 2 of which are developers and we answer to the office manager who knows nothing about development.
For starters, don't allow developers access to the production environment. (Nobody should have direct access to the production environment except your highly trusted system administrator.)
Next, do all data changes via stored procs with a special account, and don't allow interactive access to the tables.
Finally, as part of the software, add an audit trail so you can see who did the deletion.
Or better yet.... what do you do?
Create second database user for him and do not grant DELETE privileges for log table?
I think hourly backups, and if necessary comparing the row counts, are the easiest and most reliable thing to do.
That's one reason why developers should not have access to production data. There are many more, privacy comes to mind, but to me the most important is still that you do not want anyone, no matter how trusted, able to "mess" with live data in any way.
So make sure developers work against a separate database, and ensure that the live production database does not have any users with priviliges they shouldn't have.
Make backups in another table with ENGINE=ARCHIVE? You need the privileges to run DDL statements in order to remove data from an ARCHIVE table.