Authorization/docs/database_schema.sql

-- Database Migration for RBAC + ABAC Authorization
-- Run this script to set up the authorization tables

-- Note: The tables are already populated with your data
-- This script is provided for reference and documentation

-- ============================================================
-- TABLE: permissions
-- Stores all system permissions (resource + action)
-- ============================================================
CREATE TABLE IF NOT EXISTS permissions (
    id INT AUTO_INCREMENT PRIMARY KEY,
    permission_name VARCHAR(100) NOT NULL,
    description TEXT,
    resource VARCHAR(100) NOT NULL,
    action VARCHAR(50) NOT NULL,
    UNIQUE KEY unique_permission (resource, action),
    INDEX idx_resource_action (resource, action)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;

-- ============================================================
-- TABLE: policy_attributes
-- Stores ABAC policy constraints for permissions
-- ============================================================
CREATE TABLE IF NOT EXISTS policy_attributes (
    id INT AUTO_INCREMENT PRIMARY KEY,
    attribute_name VARCHAR(100) NOT NULL,
    attribute_type ENUM('user', 'resource', 'environment') NOT NULL,
    comparison ENUM('=', '!=', '>', '<', '>=', '<=', 'IN', 'CONTAINS', 'STARTS_WITH', 'ENDS_WITH') NOT NULL,
    attribute_value VARCHAR(255) NOT NULL,
    permission_id INT NOT NULL,
    INDEX idx_permission_id (permission_id),
    FOREIGN KEY (permission_id) REFERENCES permissions(id) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;

-- ============================================================
-- TABLE: user_attributes
-- Stores user-specific attributes for ABAC evaluation
-- ============================================================
CREATE TABLE IF NOT EXISTS user_attributes (
    id INT AUTO_INCREMENT PRIMARY KEY,
    user_id CHAR(11) NOT NULL,
    attribute_name VARCHAR(100) NOT NULL,
    attribute_value VARCHAR(255) NOT NULL,
    INDEX idx_user_id (user_id),
    UNIQUE KEY unique_user_attribute (user_id, attribute_name)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;

-- ============================================================
-- TABLE: users
-- Main user table (already exists in your schema)
-- ============================================================
CREATE TABLE IF NOT EXISTS users (
    user_id CHAR(11) PRIMARY KEY,
    first_name VARCHAR(50) NOT NULL,
    middle_initial CHAR(1),
    last_name VARCHAR(50) NOT NULL,
    suffix VARCHAR(10),
    email_address VARCHAR(60) NOT NULL,
    account_type VARCHAR(60) NOT NULL,
    emp_id VARCHAR(50),
    reg CHAR(2),
    prov CHAR(3),
    aProv CHAR(3),
    mun CHAR(2),
    bgy CHAR(3),
    is_logged_in CHAR(2) DEFAULT 'N',
    first_logged_in CHAR(2) DEFAULT 'N',
    address VARCHAR(255),
    contact_number VARCHAR(13),
    device_id VARCHAR(50),
    role_id INT,
    role_dps INT,
    is_deleted VARCHAR(2) DEFAULT 'N',
    secret_key VARCHAR(100),
    is_activated VARCHAR(2) DEFAULT 'Y',
    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
    updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
    INDEX idx_email (email_address),
    INDEX idx_role (role_id)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;

-- ============================================================
-- EXAMPLE: Adding a New Permission
-- ============================================================
-- Step 1: Insert the permission
/*
INSERT INTO permissions (permission_name, description, resource, action)
VALUES ('Delete User Account', 'Permanently delete a user account', 'users', 'delete');

-- Step 2: Add ABAC policies (optional)
INSERT INTO policy_attributes (attribute_name, attribute_type, comparison, attribute_value, permission_id)
VALUES 
    ('role', 'user', '=', 'Super Admin', LAST_INSERT_ID()),
    ('is_activated', 'resource', '=', 'N', LAST_INSERT_ID());
*/

-- ============================================================
-- EXAMPLE: Adding User Attributes
-- ============================================================
/*
INSERT INTO user_attributes (user_id, attribute_name, attribute_value)
VALUES 
    ('U0000000005', 'region', '02'),
    ('U0000000005', 'role', 'Regional Admin'),
    ('U0000000005', 'action_user_role', 'Regional Administrator'),
    ('U0000000005', 'role_dps', '1');
*/

-- ============================================================
-- INDEXES for Performance
-- ============================================================
-- These should already be created by the CREATE TABLE statements above
-- but are listed here for reference:

-- permissions table
ALTER TABLE permissions ADD INDEX IF NOT EXISTS idx_resource_action (resource, action);

-- policy_attributes table
ALTER TABLE policy_attributes ADD INDEX IF NOT EXISTS idx_permission_id (permission_id);

-- user_attributes table
ALTER TABLE user_attributes ADD INDEX IF NOT EXISTS idx_user_id (user_id);

-- users table
ALTER TABLE users ADD INDEX IF NOT EXISTS idx_is_deleted (is_deleted);

-- ============================================================
-- VERIFICATION QUERIES
-- ============================================================

-- Check permissions count
-- SELECT COUNT(*) as total_permissions FROM permissions;

-- Check policies count
-- SELECT COUNT(*) as total_policies FROM policy_attributes;

-- Check user attributes count
-- SELECT COUNT(*) as total_user_attributes FROM user_attributes;

-- View permissions with their policies
/*
SELECT 
    p.id,
    p.permission_name,
    p.resource,
    p.action,
    COUNT(pa.id) as policy_count
FROM permissions p
LEFT JOIN policy_attributes pa ON p.id = pa.permission_id
GROUP BY p.id
ORDER BY p.id;
*/

-- View user with all attributes
/*
SELECT 
    u.user_id,
    u.first_name,
    u.last_name,
    ua.attribute_name,
    ua.attribute_value
FROM users u
LEFT JOIN user_attributes ua ON u.user_id = ua.user_id
WHERE u.user_id = 'U0000000001'
ORDER BY ua.attribute_name;
*/