Eric, There are, as you will find out, a number of ways you could handle it. The "right" way is really your decision and it's directly related to the flexibility, maintainability, and security your site will require. I have had success in the past using a role-based permission system. For example, I'd create a role called Administrator and give that role permission to insert, update, delete, and select from every single table in the application/intranet. Then, I'd create another group called, for example, Newsreaders that only had permission to select from a table a with news items in it. They wouldn't be able to add or edit news items and they wouldn't be able to view any other information that didn't come from the newsitems table. When users logged in and were authenticated, they'd be assigned one or more of the roles that exist. And in the session framework, on each page that had to restrict access, I'd check the session variables $_SESSION["isadmin"] or $_SESSION["isnewsreader"] or whatever to make sure that they were members of the proper role to view that page. Of course, you need to build the Administrator interface that would allow the Administrator to assign users to roles in order to maintain all of the roles your application/intranet may need. You could do this on the command line in MySQL, but I think the extra effort to code it into a friendly web page would pay off in maintainability and usability by someone other than yourself. Now, this may not be the most secure way of controlling access, but it was appropriate for the application I was working on. You may also want to do a Google search and see what kinds of pre-build session handling tools are available. That may save you the time of building one from scratch and troubleshooting it. Good luck. Rich -----Original Message----- From: Eric Cranley [mailto:ericc@xxxxxxxxxxxxxxx] Sent: Monday, November 01, 2004 5:36 PM To: php-db@xxxxxxxxxxxxx Subject: Database Design Recommendations I tried to find this in the archives. If I missed it, my apologies in advance. I'm developing an intranet for my company, and we are planning on putting sensitive information on it. I've already setup a login system using sessions, but I'm not sure how to manage and store permissions, such as who can view commissions, reset user passwords, etc. I've devised two methods, but I have a feeling there's a better way to do this that I'm not thinking of. I'll be storing these permissions in a MySQL database. My first idea was a single field with the SET datatype. This allows for a user to have multiple permissions, but makes it hard for other employees to add permissions later, if they decide to restrict a previously open access page. (I should mention that I'm the only person here who knows how to adjust a table in MySQL, and I won't be around forever.) My other idea solved the previously mentioned problem. I could create a second table with employee permissions. It would have two fields, employee_id and permission. Every employee would have one row for every permission they had. I could also create a third table of page names and required permission to view it, so if someone later decides that only certain people should view a page, they can change it without coming to me. What do people think of these ideas, and is there a better way to do this? Thanks in advance. Eric Cranley IT Specialist Willis Music Company -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
