I need to create RBAC functionality in a FileMaker solution. That is,
- A table to store authorisation items which can be either (in increasing order of granularity, operations, task or roles).
- Authorisation items assigned to users in a users table. The users table mirrors most of the users in the File itself (Full Access accounts).
- Authorisation items can inherit other authorisation items at the same level or below. For example:
- Operations can be parents of other operations but not tasks or roles.
- Tasks can be the parents of operations or other tasks but not roles.
- Roles can be the parents of operations, tasks or other roles.
- An authorisation item can have multiple parents and multiple children
I've implemented RBAC in PHP MVC frameworks such as Yii, and I have some ideas about how to do it in FileMaker, but before embarking on this I wanted to see if anyone had done this sort of thing before and could offer me some pointers.
Obviously, setting up the tables and managing the relationships is fairly straightforward, it's the implementation of the rules that is the interesting part. My current thinking is that for this to work well, users would need to declare their actions more explicitly that they usually do in Filemaker applications. For example, they would need to press an edit button in order to access a data-entry layout. That button would then run a parameterised script which would compare a user's access level in the RBAC tables with the level of access required by the operation.
Any thoughts / ideas / plugins / sample files much appreciated.