Mongodb – How to structure a MongoDB database to allow for multiple users to use the same account with restrictions based on roles

database-designmongodbusers

Ok, firstly I'm very new to MongoDB, and newish to DB development/management as a whole. I've done a unit using Oracle through uni, but apart from just manipulating fields through the phpmyadmin interface for wordpress plugins/sites, that's about it.

I want to model a (fairly complex?) user system. Here's an excerpt from the brief relating to it.

Users should be able to log in with their email and password, create a new account, invite other users and set different access rights. This way multiple users can share the same account with different levels of authority (ready-only, editing rights, etc.)

The backend needs a section where the business owner can set global restrictions on areas/sections of the app for different groups of users.

I've done a bit of research into structuring a MongoDB database and understand there should be a balance between embedding data into documents, and referencing other documents so that in the end you require fewer queries than if you embedded everything or referenced everything.

Here are my initial thoughts.

Side note – I don't know how to properly document a MongoDB schema so sorry if this doesn't actually make sense. I'll try explain it as best I can.

The diamond connections are for embedded objects inside documents, while the straight connections show references. (i.e AccountUsers are embedded in an Account while a Role is referenced by a User and AccountUser). I should probably update this to show directions and relation. Anyway…

I believe this setup allows both Users on an application level, and users on an account level to have separate roles that can be retrieved later. Global restrictions could be set by the business owner for all users of a certain role, and the admin of an account can set account wide restrictions based on setting a user's account role.

The roles themselves are arrays of objects containing a boolean and a reference to a SitePermission. The idea being that the SitePermissions will be setup by the dev team, with one SitePermission for each section of the app, from which the business owner or account owners can create their own roles.

Does this setup seem like a good way to go about creating a database that suits the brief? Like I said, I'm really new to MongoDB so I could have this whole thing completely wrong by treating it similarly to an RDBMS like Oracle. I basically just need to know if I'm doing this right? Thanks!

Best Answer

When working on an authorization requirement for any application, there are three essential elements that are part of the setup:

• The resources that need to be secured/authorized
• A list of roles and users that are part of these roles
• A mapping between the resources and the roles that define who can access what

Related Solutions

Database model with users, roles and rights

First of all, what type of security model do you plan to implement? Role-based Access Control (RBAC) or Discretionary Access Control (DAC)?

RBAC in the Role-Based Access Control (RBAC) model, access to resources is based on the role assigned to a user. In this model, an administrator assigns a user to a role that has certain predetermined right and privileges. Because of the user's association with the role, the user can access certain resources and perform specific tasks. RBAC is also known as Non-Discretionary Access Control. The roles assigned to users are centrally administered.

DAC In the Discretionary Access Control (DAC) model, access to resources is based on user's identity. A user is granted permissions to a resource by being placed on an access control list (ACL) associated with resource. An entry on a resource's ACL is known as an Access Control Entry (ACE). When a user (or group) is the owner of an object in the DAC model, the user can grant permission to other users and groups. The DAC model is based on resource ownership.

see source

1) In RBAC: you need ElementType table to assign rights to role (users are assigned to role(s)). RBAC defines: "What can this role/user do". Administrator assigns rights for roles and permissions to roles, assigns users to role(s) to access resources. 2) In DAC: users and roles have rights to elements via access control list (ownership). DAC defines: "who has access to my data". User (owner) grants permissions to owned resource.

Any way I suggest this data model:

CREATE TABLE ElementType
(
    Id (PK)
    Name
    ...
)

CREATE TABLE ElementBase
(
    Id (PK)
    Type (FK to ElementType)
    ...
)

(one to one relationship)

CREATE TABLE Element_A
(
    Id (PK, FK to ElementBase)
    ...
)

CREATE TABLE Element_B
(
    Id (PK, FK to ElementBase)
    ...
)

1) RBAC (many-to many relationship)

CREATE TABLE ElementType_To_Role_Rights
(
    RightId (PK)
    RoleId  (FK to Role)
    ElementTypeId (FK to ElementType)
    ...
)

2) DAC (many-to many relationship)

CREATE TABLE ElementBase_To_Actor_Rights
(
    RightId (PK)
    ElementBaseId (FK to ElementBase)
    ActorId (FK to Actor)
    ...
)

CREATE TABLE Actor
(
    Id (PK)
    Name
)

CREATE TABLE User
(
    Id (PK, FK to Actor)
    Password
    ...
)

CREATE TABLE Role
(
    Id (PK, FK to Actor)
    ...
)

Mongodb – How to setup a MongoDB replica set for the connector

You can start a single node replica set by starting the mongod with the replSet argument/config option, that is all that is required. It takes a name argument, which will then function as the name of the replica set in question. Once you have done that, you simply run rs.initiate() from the shell when connected to the node (this is only needed once).

This is described in detail here:

http://docs.mongodb.org/manual/tutorial/convert-standalone-to-replica-set/

To stay with just a single node, simply do not follow the "Expanding the set" instructions.

Best Answer

Related Solutions

Database model with users, roles and rights

Mongodb – How to setup a MongoDB replica set for the connector

Related Question