O
OHM
I'm just wondering what different approaches people would/have taken to
solving the issues Im about to talk about.
When you are writing an ASP.NET application for a small group of users or an
open group of users, security of resources may not factor very highly.
However, when you begin to write an application/set of applications for a
whole organisation then how you handle security becomes a big issue.
For example. lets say our organisation has 10 departements and each of them
have their own set of applications, but some are shared between them for
example. A timesheet might be shared by all users but a business analysis
application may only be used by the finance and marketing departments. All
of these may have guest access. So for example, menu's and webforms. Need to
be enabled or checked whenever a used trys to open a form or a user performs
an action. How do we do this? Here are some approaches I have either seen or
used or thought about in the past. All involve groups or roles ( Essentially
this is the same thing funcationally )
If you are interested in commenting on your approach, please do as I would
like to see the way others have approached this issue?!?!
Many Thanks - OHM
1.) Option 1 -
In the BAL you check the users membership against the groups supplied from
the form, this could equally be done on the form itself, the problem with
this approach is that whenever you want to change access levels , this has
to be changed on the form which restarts the application.
2. Option 2
Same as option 1, but you store the access restrictions on an XML file or
equivelent, and pass to the BAL.
3. Option 3
Same as option 1 but you host a mapping table on the server. The only
problem with this is that it the becomes messy from a coding point of view
on the form because you are working with ID numbers.
4.Option 4
Totally make this programmatical. So that each resource /action on a form
relates to an ID in a resource action table. Then map this to the groups
which can access resources or perform actions. This is the most complex,
but flexible approach from these four. However this could get cumbersome and
may well slow things down if there are several hundred forms over a range of
applications, each with its own array of resources or actions.
solving the issues Im about to talk about.
When you are writing an ASP.NET application for a small group of users or an
open group of users, security of resources may not factor very highly.
However, when you begin to write an application/set of applications for a
whole organisation then how you handle security becomes a big issue.
For example. lets say our organisation has 10 departements and each of them
have their own set of applications, but some are shared between them for
example. A timesheet might be shared by all users but a business analysis
application may only be used by the finance and marketing departments. All
of these may have guest access. So for example, menu's and webforms. Need to
be enabled or checked whenever a used trys to open a form or a user performs
an action. How do we do this? Here are some approaches I have either seen or
used or thought about in the past. All involve groups or roles ( Essentially
this is the same thing funcationally )
If you are interested in commenting on your approach, please do as I would
like to see the way others have approached this issue?!?!
Many Thanks - OHM
1.) Option 1 -
In the BAL you check the users membership against the groups supplied from
the form, this could equally be done on the form itself, the problem with
this approach is that whenever you want to change access levels , this has
to be changed on the form which restarts the application.
2. Option 2
Same as option 1, but you store the access restrictions on an XML file or
equivelent, and pass to the BAL.
3. Option 3
Same as option 1 but you host a mapping table on the server. The only
problem with this is that it the becomes messy from a coding point of view
on the form because you are working with ID numbers.
4.Option 4
Totally make this programmatical. So that each resource /action on a form
relates to an ID in a resource action table. Then map this to the groups
which can access resources or perform actions. This is the most complex,
but flexible approach from these four. However this could get cumbersome and
may well slow things down if there are several hundred forms over a range of
applications, each with its own array of resources or actions.