Control Level Authorization

Discussion in 'ASP .Net Security' started by lmobilesysteme, Mar 6, 2007.

  1. Hello,

    we are unable to solve the following problem: Will the Membership Model
    allow to restrict access on a control level. For example i have a form with
    multiple buttons and i want only users in specific roles to access some of
    them. How would this be accomplished using integrated ASP.Net Security Model.

    Is this something which i have to do on a attribute-base in my source code?
    And if yes what if roles are changed after deployment of my source code. Btw.
    this is my first post. So be gentle.

    --
    lmobile
     
    lmobilesysteme, Mar 6, 2007
    #1
    1. Advertising

  2. lmobilesysteme

    Joe Kaplan Guest

    The membership model can be used to do this kind of thing using the various
    role providers. Typically, you do this stuff programmatically rather
    declaratively using membership, although you could maybe do a mix.

    The code generally looks something like:

    if (user.IsInRole(xxx))
    {
    //draw this control, allow this action or whatever
    }

    The concept of changing the rendered UI to show certain controls to certain
    users but not others for security purposes if generally called "security
    trimming". Protecting operations in your code by enforcing authorization
    policy is generally just called role-based authorization. Typically, you
    want to do both things in your app, although security trimming is typically
    regarded as less important as long as the code that actually does the
    protected operations is enforcing the authorization policy.

    You generally want to try to get your roles nailed down during
    design/development, as you are coding to basically a static model. If these
    change, it can be problematic. If you want a more flexible/powerful model
    that allows you some additional levels of indirection to make this easier to
    maintain, look at AzMan instead. With it, you program to more granular
    things called "operations". Operations map to tasks which map to roles
    which map to principals (users and groups). All of that mapping policy is
    done declaratively, so as long as the operations stay static and don't
    overlap, you can change who gets to do them whenever you want at runtime via
    configuration.

    This is actually a complex topic and could fill a book. I'd suggest
    Dominick's book if you want a good place to start. :)

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "lmobilesysteme" <> wrote in message
    news:...
    > Hello,
    >
    > we are unable to solve the following problem: Will the Membership Model
    > allow to restrict access on a control level. For example i have a form
    > with
    > multiple buttons and i want only users in specific roles to access some of
    > them. How would this be accomplished using integrated ASP.Net Security
    > Model.
    >
    > Is this something which i have to do on a attribute-base in my source
    > code?
    > And if yes what if roles are changed after deployment of my source code.
    > Btw.
    > this is my first post. So be gentle.
    >
    > --
    > lmobile
     
    Joe Kaplan, Mar 6, 2007
    #2
    1. Advertising

  3. :)

    Especially since there are ways to get around that if only security trimming
    is applied...

    Google for "EventValidation" - or - yes - have a look at my book....(see
    link below) ;)


    -----
    Dominick Baier (http://www.leastprivilege.com)

    Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

    > The membership model can be used to do this kind of thing using the
    > various role providers. Typically, you do this stuff programmatically
    > rather declaratively using membership, although you could maybe do a
    > mix.
    >
    > The code generally looks something like:
    >
    > if (user.IsInRole(xxx))
    > {
    > //draw this control, allow this action or whatever
    > }
    > The concept of changing the rendered UI to show certain controls to
    > certain users but not others for security purposes if generally called
    > "security trimming". Protecting operations in your code by enforcing
    > authorization policy is generally just called role-based
    > authorization. Typically, you want to do both things in your app,
    > although security trimming is typically regarded as less important as
    > long as the code that actually does the protected operations is
    > enforcing the authorization policy.
    >
    > You generally want to try to get your roles nailed down during
    > design/development, as you are coding to basically a static model. If
    > these change, it can be problematic. If you want a more
    > flexible/powerful model that allows you some additional levels of
    > indirection to make this easier to maintain, look at AzMan instead.
    > With it, you program to more granular things called "operations".
    > Operations map to tasks which map to roles which map to principals
    > (users and groups). All of that mapping policy is done declaratively,
    > so as long as the operations stay static and don't overlap, you can
    > change who gets to do them whenever you want at runtime via
    > configuration.
    >
    > This is actually a complex topic and could fill a book. I'd suggest
    > Dominick's book if you want a good place to start. :)
    >
    > Joe K.
    >
     
    Dominick Baier, Mar 6, 2007
    #3
  4. Hi lmobile,

    I agree with Joe. So far regarding on the question scenario you raised,
    ASP.NET built-in declarative auhorization setting can not directly address
    it(since it is per page based). If you want smaller granularity inside a
    single page, you need to add some code to do the checking and
    redirection(as Joe has mentioned). If you want a more reusable solution, I
    think you can consider developing a custom button server control which
    expose some additional property (and internal codelogic ) to do role
    authorization... How do you think?

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead


    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Steven Cheng[MSFT], Mar 7, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    2
    Views:
    445
  2. =?Utf-8?B?Sm9l?=

    page-level vs control-level enableViewState

    =?Utf-8?B?Sm9l?=, Oct 26, 2005, in forum: ASP .Net
    Replies:
    3
    Views:
    2,933
    S. Justin Gengo
    Oct 26, 2005
  3. pabbu
    Replies:
    8
    Views:
    733
    Marc Boyer
    Nov 7, 2005
  4. KaaN

    user-level authorization

    KaaN, Nov 24, 2003, in forum: ASP .Net Security
    Replies:
    0
    Views:
    115
  5. SeanRW
    Replies:
    1
    Views:
    367
    Dominick Baier [DevelopMentor]
    May 25, 2006
Loading...

Share This Page