next up previous contents
Next: Further developing Up: The Access Control Previous: Grouping groups   Contents


Specifying constraints for the grouping

In the previous sections we specified the three types of constraints which are use in the grouping:
  1. user-groups-constraints - checking if the user can be ascribed to the new group with his current aggregation of groups
  2. group-groups-constraints - checking if the group can be defined as a part of other group.
  3. role-constraints - checking if the role can be added to the group
The manner of adding new constraints for each of this category is very similar. At the beginning we have to check that the new constraints will be valid for the current definitions allocated for the user and groups (f.e. one of the user is assigned to two groups which we want to exclude). Thus the one of the following statements have to be executed:
SELECT user_id FROM ar_user_groups WHERE group_id='first group id' or group_id='second group id
This SELECT is executed for the first type of constraints. In the WHERE clause we put these group ids for which the new constraint will be defined. As a result we get a users which are attributed for these groups.

SELECT hl_group_id FROM ar_group_groups WHERE ll_group_id='first group id' or ll_group_id='second group id
The SELECT is executed for second type of constraints. In the WHERE clause we put these group ids for which we want to define new constraint. SELECT returns these parent groups which have such child groups defined.

SELECT group_id FROM ar_role_groups WHERE role_id='first role id' or role_id='second role id
The last SELECT is executed for the third type of constraints. In the WHERE we put the role_id for which we want to define new constraint. Returned results give the information about groups to which these roles are assigned.

After this when the SELECT is executed, the algorithm checks if there are any duplicates in the returned results (two the same user, two the same groups). If the duplicates are presented for one of this SELECT then they are returned as an one conflicts list. In such case the new constraints can not be added because it causes a contradiction in the current definitions. The administrator first has to change these conflict definitions and then this constraints can be introduced.


next up previous contents
Next: Further developing Up: The Access Control Previous: Grouping groups   Contents
Marek Imialek 2006-06-22