ruby on rails - OAuth2 and role-based access control -

-

i have rails app acting oauth 2.0 provider (using oauth2-provider gem). stores information related users (accounts, personal information, , roles). there 2 client apps both authenticate through app. client apps can use client_credentials grant type find users email , other things don't require authorization code. users can log in client apps using password grant type.

now issue we're facing users' roles defined globally on resource host. if user given admin role on resource host, user admin on both clients. question is: should have more fine-grained access control? i.e. user can editor app1 not app2.

i guess easy way change role names so: app1-admin, app2-admin, app1-editor, app2-editor, etc. bigger question is: implementing whole system correctly; is, should storing info on resource host, or should denormalize data onto client apps?

a denormalized architecture this: user data on resource host, localized user data on each client host. user@example.com have personal info on resource host , have editor role stored on client app1. if never uses it, app2 oblivious of existence.

the drawback denormalized model there lot of duplication of data (account ids, roles) , code (user , role models on each client, separate management interfaces, etc.).

are there drawbacks keeping data separate? client apps both highly trusted--we made them both--but add additional client apps, not under our control, in future.

the proper way use oauth , other similar external authorization methods see it, strictly authentication purposes. business/authorization logic should handled on server part @ times, , should keep central record of user, linking external info per external type of auth service.

having multilevel/multipart set of access, must, if want setup scalable , future-proof. standard design separate authorization logic , in direct relation business rules.

stackoverflow this, asking create actual account on site after login using external method.

update: if sites similar can subset design object per application keeps application specific access rules. object has inherit global object has global rules (thus can example impose ban application-wide or enterprise-wide).

i go objects contain acess settings, , roles can related instances of both application level settings , global settings automating/compacting assignment of access.

actually can use design if not similar. avoid redundant settings , meaningless (business-wise) roles. can identify role purely job title/purpose, , impose restrictions linking appropriate acess settings setup.


Comments

Post a Comment

Popular posts from this blog

jasper reports - Fixed header in Excel using JasperReports -

-
how can create excel report fixed header using japserreports? mean need header fixed when scroll excel file. this possible adding couple properties in jrxml file each report. take @ advanced excel features freeze panes. if wanted freeze after first column header (down left side basically) this: <statictext> <reportelement style="sans_bold" mode="opaque" x="0" y="60" width="104" height="20" forecolor="#ffffff" backcolor="#666666"> <property name="net.sf.jasperreports.export.xls.auto.filter" value="start"/> <property name="net.sf.jasperreports.export.xls.column.width" value="110"/> <property name="net.sf.jasperreports.export.xls.freeze.column.edge" value="left"/> </reportelement> &
Read more

media player - Android: mediaplayer went away with unhandled events -

-
i need duration of audio file series of voice announcements need play app. have added audio files resources , play fine. sample code below works perfect intended purpose: return duration of audio files. here code: float getdurationofaudioresource(locationenum loc, context context){ float duration = 0; try { mediaplayer mp; mp = mediaplayer.create(context, getaudioresource(loc)); duration = mp.getduration(); mp.release(); mp = null; } catch (illegalstateexception e) {e.printstacktrace(); logerror(25, "testdescitem:fault::could not open mediaplayer object audio resource.");} return duration; } here's weird thing. code called in main activity prepares set of audio instructions given test. there no errors within activity. second activity called, long string of errors on logcat. 03-07 13:23:43.820: i/actionlogger(21435): gentest_info_test #0 created. 03-07 13:23:43.830: i/actionlogger(21435): gente
Read more

python - ('The SQL contains 0 parameter markers, but 50 parameters were supplied', 'HY000') or TypeError: 'tuple' object is not callable -

-
import pyodbc,nltk,array cnxn = pyodbc.connect('driver={mysql odbc 5.1 driver};server=127.0.0.1;port=3306;database=information_schema;user=root; password=1234;option=3;') cursor = cnxn.cursor() cursor.execute("use collegedatabase ;") cursor.execute("select * sampledata ; ") cnxn.commit() s=[] j=[] x=[] words = [] w = [] sfq = [] pos=[] entry in cursor: s.append(entry.injury_type),j.append(entry.injury_desc) nltk.tokenize import punktwordtokenizer nltk.corpus import stopwords tokenizer = punktwordtokenizer() english_stops = set(stopwords.words('english')) in range(0,26): # filter stop words tokenizer.tokenize(j[i]) w.append([word word in tokenizer.tokenize(j[i]) if word not in english_stops]) in range(0 , 26):#converting tokenzied text ito string sfq.append(" ".join(w[a])) replacers import regexpreplacer replacer = regexpreplacer() in range (0,26):#pos tagging replacer.repl
Read more