Best Practices for handling sensitve data in the UI

Discussion in 'ASP .Net' started by Bill Fuller, Aug 13, 2007.

  1. Bill Fuller

    Bill Fuller Guest

    Here is the scenario. We will be writing a web application that will need to
    sometimes properly handle sensitive data (salary, ssn, profit, etc.) using
    roles. This data will be restricted at a macro level (for example, no access
    to accounting modules unless authorized) and a more granular level (no
    visibility, read-only, and read-update to certain fields, such as personal
    information, depending on role).

    Question: Is there a good source of information on best practices for
    handling this? For example, does it make sense to provide custom controls
    for some/all of managed fields containing sensitive data?
    Bill Fuller, Aug 13, 2007
    #1
    1. Advertising

  2. I usually create "data class" that keeps all sensitive data takes 'security
    level' as a constructor and exposes data using properties.
    Like

    class clsEmployee
    {
    void clsEmployee (int iLevel);
    decimal Salary
    {
    get
    {
    if( iLevel != 1 )
    return 0;
    else
    return _dSalary;
    }
    }
    }

    George.


    "Bill Fuller" <> wrote in message
    news:%...
    > Here is the scenario. We will be writing a web application that will need
    > to sometimes properly handle sensitive data (salary, ssn, profit, etc.)
    > using roles. This data will be restricted at a macro level (for example,
    > no access to accounting modules unless authorized) and a more granular
    > level (no visibility, read-only, and read-update to certain fields, such
    > as personal information, depending on role).
    >
    > Question: Is there a good source of information on best practices for
    > handling this? For example, does it make sense to provide custom controls
    > for some/all of managed fields containing sensitive data?
    >
    George Ter-Saakov, Aug 13, 2007
    #2
    1. Advertising

  3. Bill Fuller

    Bill Fuller Guest

    Interesting... I like that idea. Simple and elegant.

    Thanks.

    "George Ter-Saakov" <> wrote in message
    news:...
    >I usually create "data class" that keeps all sensitive data takes
    >'security level' as a constructor and exposes data using properties.
    > Like
    >
    > class clsEmployee
    > {
    > void clsEmployee (int iLevel);
    > decimal Salary
    > {
    > get
    > {
    > if( iLevel != 1 )
    > return 0;
    > else
    > return _dSalary;
    > }
    > }
    > }
    >
    > George.
    >
    >
    > "Bill Fuller" <> wrote in message
    > news:%...
    >> Here is the scenario. We will be writing a web application that will need
    >> to sometimes properly handle sensitive data (salary, ssn, profit, etc.)
    >> using roles. This data will be restricted at a macro level (for example,
    >> no access to accounting modules unless authorized) and a more granular
    >> level (no visibility, read-only, and read-update to certain fields, such
    >> as personal information, depending on role).
    >>
    >> Question: Is there a good source of information on best practices for
    >> handling this? For example, does it make sense to provide custom controls
    >> for some/all of managed fields containing sensitive data?
    >>

    >
    >
    Bill Fuller, Aug 13, 2007
    #3
  4. Bill Fuller

    sloan Guest

    You should take a look at the CSLA framework for this specific need, as ~an
    option.


    "Bill Fuller" <> wrote in message
    news:%...
    > Here is the scenario. We will be writing a web application that will need
    > to sometimes properly handle sensitive data (salary, ssn, profit, etc.)
    > using roles. This data will be restricted at a macro level (for example,
    > no access to accounting modules unless authorized) and a more granular
    > level (no visibility, read-only, and read-update to certain fields, such
    > as personal information, depending on role).
    >
    > Question: Is there a good source of information on best practices for
    > handling this? For example, does it make sense to provide custom controls
    > for some/all of managed fields containing sensitive data?
    >
    sloan, Aug 13, 2007
    #4
  5. Bill Fuller

    Bill Fuller Guest

    I never heard of this, but a quick google on it looks promising.

    I see the framework has support for Remoting. Do you know if it has been
    extended to support WCF?

    Also, do you know if it will complement Enterprise Library blocks? (Logging,
    security, database, etc.)

    "sloan" <> wrote in message
    news:...
    >
    > You should take a look at the CSLA framework for this specific need, as
    > ~an option.
    >
    >
    > "Bill Fuller" <> wrote in message
    > news:%...
    >> Here is the scenario. We will be writing a web application that will need
    >> to sometimes properly handle sensitive data (salary, ssn, profit, etc.)
    >> using roles. This data will be restricted at a macro level (for example,
    >> no access to accounting modules unless authorized) and a more granular
    >> level (no visibility, read-only, and read-update to certain fields, such
    >> as personal information, depending on role).
    >>
    >> Question: Is there a good source of information on best practices for
    >> handling this? For example, does it make sense to provide custom controls
    >> for some/all of managed fields containing sensitive data?
    >>

    >
    >
    Bill Fuller, Aug 13, 2007
    #5
  6. Bill Fuller

    sloan Guest

    He was at my user group meeting a few weeks ago.

    And he said it had been WCF enabled, as a DataPortal channel option.

    If you buy the book, it'll be just the 2.0 version.

    I think you can buy a supplement book from his website, and that's where you
    get the extra stuff.

    Check the DotNetRocks website, they had a good interview with Rocky as well,
    where he in plain english discusses some of his framework.


    I'm not using the CSLA currently, so I don't know about the Ent Lib Block
    integration.
    But odds are, it'll work fine. Rocky is very aware of "what's out there".





    "Bill Fuller" <> wrote in message
    news:...
    >I never heard of this, but a quick google on it looks promising.
    >
    > I see the framework has support for Remoting. Do you know if it has been
    > extended to support WCF?
    >
    > Also, do you know if it will complement Enterprise Library blocks?
    > (Logging, security, database, etc.)
    >
    > "sloan" <> wrote in message
    > news:...
    >>
    >> You should take a look at the CSLA framework for this specific need, as
    >> ~an option.
    >>
    >>
    >> "Bill Fuller" <> wrote in message
    >> news:%...
    >>> Here is the scenario. We will be writing a web application that will
    >>> need to sometimes properly handle sensitive data (salary, ssn, profit,
    >>> etc.) using roles. This data will be restricted at a macro level (for
    >>> example, no access to accounting modules unless authorized) and a more
    >>> granular level (no visibility, read-only, and read-update to certain
    >>> fields, such as personal information, depending on role).
    >>>
    >>> Question: Is there a good source of information on best practices for
    >>> handling this? For example, does it make sense to provide custom
    >>> controls for some/all of managed fields containing sensitive data?
    >>>

    >>
    >>

    >
    >
    sloan, Aug 13, 2007
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. karim
    Replies:
    0
    Views:
    439
    karim
    Jul 13, 2003
  2. =?Utf-8?B?U2FuZHk=?=

    Error Handling - Best Practices

    =?Utf-8?B?U2FuZHk=?=, May 6, 2005, in forum: ASP .Net
    Replies:
    4
    Views:
    575
    =?Utf-8?B?U2FuZHk=?=
    May 7, 2005
  3. MaksimKneller

    error handling best practices

    MaksimKneller, Aug 23, 2010, in forum: C++
    Replies:
    22
    Views:
    1,185
  4. csharper

    Exception handling best practices?

    csharper, Oct 19, 2010, in forum: ASP .Net
    Replies:
    4
    Views:
    1,188
    Felix Palmen
    Oct 20, 2010
  5. Ryan N.
    Replies:
    2
    Views:
    152
    Ryan N.
    Feb 11, 2004
Loading...

Share This Page