Adobe 38043740 - ColdFusion Standard - Mac Development Manual page 346

DEVELOPING COLDFUSION 9 APPLICATIONS
Developing CFML Applications
• Employee pages go in another directory whose rules limit the files they modify and the tags they use.
• Pages required for both HR and employee functions go in a third directory with appropriate access rules.
About user security
User security lets your application use security rules to determine what it shows. It has two elements:
Ensures that a valid user is logged-in, based on an ID and password provided by the user. ColdFusion
Authentication
(or, in some cases if you use web server authentication, the web server) maintains the user ID information while the
user is logged-in.
Ensures that the logged-in user is allowed to use a page or perform an operation. Authorization is
Authorization
typically based on one or more roles (sometimes called groups) to which the user belongs. For example, in an employee
database, all users could be members of either the employee role or the contractor role. They could also be members
of roles that identify their department, position in the corporate hierarchy, or job description. For example, someone
could be a member of some or all of the following roles:
• Employees
• Human Resources
• Benefits
• Managers
Roles enable you to control access in your application resources without requiring the application to maintain
knowledge about individual users. For example, suppose you use ColdFusion for your company's intranet. The
Human Resources department maintains a page on the intranet on which all employees can access timely information
about the company, such as the latest company policies, upcoming events, and job postings. You want everyone to be
able to read the information, but you want only certain authorized Human Resources employees to be able to add,
update, or delete information.
Your application gets the user's roles from the user information data store when the user logs in, and then enables
access to specific pages or features based on the roles. Typically, you store user information in a database, LDAP
directory, or other secure information store.
You also use the user ID for authorization. For example, to let employees view customized information about their
salaries, job levels, and performance reviews. You certainly would not want one employee to view sensitive
information about another employee, but you would want managers to be able to see, and possibly update, information
about their direct reports. By employing both user IDs and roles, you ensure that only the appropriate people access
or work with sensitive data.
Last updated 1/20/2012
341