Security Model Question 1

[3587ch]

When setting up an asp.net application using SQL Server 2005 as the database, I can create roles in the database and assign users to the roles and then in the app limit their access to pages or objects. I have scene system where once a user is assigned to a role there is a page with many many checkboxes to allow the organization to say what that user can or cannot do. I have also scene where the role itseld determines the access for the user.

My question is how do they code the way that let's the organization make many selections for the specific user and the role they are assigned?

Thank you,

 

[jmeckley]

there are a variety of ways to code this. It's not a simple problem to solve though. some things to consider:

if you are assigning users to roles, then there is no need for user specific actions, only role specific actions. coding to a user and a role is needlessly complex.

a role can perform any number of actions within the system. an action can have one of the following states:
action explicitly allowed
action explicitly denied
action implicitly denied

actions can be standard CRUD (create, read, update delete) operations on an entity. They can also be process driven. ShipOrder, CancelPayment, OverrideDiscount. These are behavior actions and usually require multiple entities to complete the workflow.

I have only seen one implementation of this: Rhino.Security which is part of the Rhino.Stack originally created by Oren (aka Ayende Rahien). Of all the tools in the Rhino stack this is the one I still do not fully grasp in implementation. others have sworn by it and praise it's flexibility and "ease" of use.

If this is a large scale (complexity) system it would be worth the investment (time) to research this. if this is a smaller scale app (simplicity) I would just use the built-in asp.net security model which can be configured in the web.config.

Jason Meckley
Programmer
Specialty Bakers, Inc.

faq855-7190

 

[3587ch]

Great information,

Thank you so much,