Securing Web Pages with Role-Based Security, Part I
One of the most convenient security mechanisms is role-based security because it allows individual users to be assigned into roles, and then access granted at the role level.
- Alan Fisher, Chairman of Iron Speed, Inc.

September 20, 2005
Iron Speed Designer V3.1

Updating Database Schemas for Your Application
Most applications serve a variety of constituents – customers, customer service, marketing, sales, and management, to name a few. It’s increasingly common in contemporary web applications to permit much broader access to applications and their underlying data than was common with client server applications, which had more restricted user bases. With broader use comes an increased need to partition data according to the user type – and sometimes down to the individual user as well.

One of the most convenient security mechanisms is role-based security because it allows individual users to be assigned into roles, and then access granted at the role level. This makes for convenient administration because most applications need just a handful of roles – 5 or 10 at most – but may have thousands of users.

Broadly speaking, Iron Speed Designer generates three types of role-based security:

  1. Simple sign-in authentication. Application users must sign into the application. Only users with user names and passwords can sign in, giving you control over who can access your application.
  2. Single-role authentication. Application users must have a designated role in order to access a particular web page. Individual web pages are configured so that only those users with the designated role can access the page.
  3. Multiple-role authentication. Individual web pages are configured to accept users who have one of several designated roles.
With role-based security, you can:
  • Define user names and passwords.
  • Create and assign multiple user roles for your users.
  • Configure each web page for access by designated user roles.
  • Generate your application’s entire role-based security infrastructure.

Simple Sign-In Authentication
Simple sign-in authentication distinguishes between users who are signed in and those are not. Users who are not signed in are called anonymous users. Because of the flexibility in Iron Speed Designer’s role-based security model, you can grant access to individual pages to either signed in or anonymous users, or to both signed in and anonymous users. This is very useful when you want your application to present one view of your data to a signed in user and a different view, perhaps more limited, to users that haven’t signed in or don’t have an account (anonymous users).

All that is needed to configure sign-in authentication is a single database table containing your application users’ basic user name and password information. Configuring simple sign-in authentication is straightforward:

Step 1: Configure the role-based security by selecting the proper fields from the selected database table.

Step 2: Specify page-specific access rights using the Properties dialog.

Step 3: Define sign-in and sign-out pages.

Step 4: Build your application.

Single Role Authentication
Single role authentication distinguishes between various groups of users based on their assigned role. Individual application pages can be configured to permit access to users who have the required role. In the single role authentication model, individual application users have only one role assigned to them. However, the application pages can be configured to permit access to multiple roles, for example, sales and marketing.

Single role authentication distinguishes between different classes of users based on their assigned role.

Each user has one role assigned to them. This role assignment is in the same database table as the user name and password information required for simple sign-in authentication. Configuring single role authentication is straightforward:

Step 1: Configure the role-based security by selecting the proper fields from the selected database table (user name, password, user ID and role)

Step 2: Specify page-specific access rights using the Properties dialog.

Step 3: Define sign-in and sign-out pages.

Step 4: Build your application.

Multiple Role Authentication
In more sophisticated role-based security systems, users can be assigned multiple roles, effectively giving them broader access than would be granted by a single role. A simple example is that every customer service representative may not be authorized to access customer credit card data. In this example, the customer service supervisor has one role as a "rep" with access to customer account information, and a second role as "manager" with authorization to issue refunds or credits. Ideally, those roles are accessible simultaneously without requiring the user to log in under a second role.

Configuring multiple-role authentication is straightforward:

Step 1: Configure the role-based security by selecting the proper fields from the selected database tables (user name, password, user ID, the role information and the User Role information.)

Step 2: Specify page-specific access rights using the Properties dialog.

Step 3: Define sign-in and sign-out pages.

Step 4: Build your application.

Putting It All Together
Iron Speed Designer automatically adds end-user authentication (sign-in) access control as a standard feature to your applications, if you designate a User Table. You assign any number of roles and give access to any number of roles to each user. Your sign-in feature is based on your own user table in your database. Using a wizard in Iron Speed Designer you can quickly secure individual pages to specific roles. Specifically, Iron Speed Designer supports:
  • Separate tables for Users, User Roles, and Roles. You can have a one, two, or three table user roles configuration.
  • A variety of data types for these tables so you are not required to change your schema to use role-based security.
  • Page access restriction, menu hiding, and button hiding.
  • Using email to send password reminders for lost passwords.
You can quickly and easily secure your web pages so that only those assigned to appropriate access roles can access these pages. Securing web pages is a four-step process:
  1. Create user account information in your database.
  2. Create a set of user roles.
  3. Identify the location of user information in your database.
  4. Configure your web pages for role-based security.

About the Author
Alan S. Fisher
Co-Founder and Chairman of Iron Speed, Inc.

Mr. Fisher was a General Partner at Outlook Ventures, Inc., a venture capital company prior to co-founding Iron Speed, Inc. He co-founded Onsale, Inc. (now Egghead.com) and was its Chief Technology Officer from July 1994 to December 1999. He also Co-founded and was President of Software Partners, Inc, a developer and publisher of software products from August 1988 to July 1994. From April 1984 to August 1988, Mr. Fisher served as Technical Marketing Manager and Product Development Manager for Teknowledge, Inc., a developer of artificial intelligence software products. From June 1981 to April 1984, he served as a member of the technical staff for AT&T Bell Laboratories. Mr. Fisher serves on the Board of Directors of Infodata Systems Inc. (NASDAQ:INFD) an e-business consulting services company; He formerly served on the board of a number of companies including Onsale, Inc. (later Egghead.com and now Amazon.com), and FatBrain, Inc. an Internet retailer of technical and professional books.

Mr. Fisher received his B.S. in Electrical Engineering from the University of Missouri and received his M.S. in Electrical Engineering from Stanford University.



       Copyright © 2005-2009, Iron Speed, Inc. Iron Speed® is a registered trademark. All rights reserved. Privacy Statement