"objects" in a RBAC system

am looking at role-based authentication for the web app at my work. we use coldfusion, which does not seem to have any good rbac libraries made, so we might have to make one from scratch.

looking at a sample data model, objects are tied to permissions.

http://www.mind-it.info/2010/01/09/nist-rbac-data-model/

it looks like a one to many relationship between objects and permissions, which makes sense.

however, i am wondering if these "objects" should be abstract or concrete?

our system will have a few limited types of objects; for sake of example, let us say "news", "events", and "albums". the permissions and roles will most likely be attributed to these types, since all object instances of any of these types will require the same permissions and accessibility for the different roles.

in the example i looked it, it seemed to me that each instance of an object was attached to permissions. if this were the case, i see a lot of overhead in this type of system...

so, i was wondering whether or not these "objects" are in fact the abstract object types that are associated with a role, or if these "objects" are the actual object instances themselves? (or, if the rbac model allow开发者_JS百科s for either implementation...)

thanks!

You should definitely tie permissions to objects. Yes, there is some overhead while developing it, but it is by far the best case.

Think about it, while you're developing lets say the "Add news item" functionality, you create a permission called something like "addNewsItem". Then you simply tie that permission to the roles that you want to have that ability.

The beauty of this system is that once you code your permissions tied to objects (like the add item), you never have to change it if your users or roles ever change. The "Add news item" will always need the "addNewsItem" permission. That never changes.

If you instead wrap your objects with roles for example, and you decide to add a new role - you're going to be going in and changing code to allow that role any permission. Yuck.

Its actually quite easy to implement. Here's a post I did with some basics on implementation:

ColdFusion: Application Options Based on Role?