Control Level Authorization

[lmobilesysteme]

Hello,

we are unable to solve the following problem: Will the Membership Model
allow to restrict access on a control level. For example i have a form with
multiple buttons and i want only users in specific roles to access some of
them. How would this be accomplished using integrated ASP.Net Security Model.

Is this something which i have to do on a attribute-base in my source code?
And if yes what if roles are changed after deployment of my source code. Btw.
this is my first post. So be gentle.

 

[Joe Kaplan]

The membership model can be used to do this kind of thing using the various
role providers. Typically, you do this stuff programmatically rather
declaratively using membership, although you could maybe do a mix.

The code generally looks something like:

if (user.IsInRole(xxx))
{
//draw this control, allow this action or whatever
}

The concept of changing the rendered UI to show certain controls to certain
users but not others for security purposes if generally called "security
trimming". Protecting operations in your code by enforcing authorization
policy is generally just called role-based authorization. Typically, you
want to do both things in your app, although security trimming is typically
regarded as less important as long as the code that actually does the
protected operations is enforcing the authorization policy.

You generally want to try to get your roles nailed down during
design/development, as you are coding to basically a static model. If these
change, it can be problematic. If you want a more flexible/powerful model
that allows you some additional levels of indirection to make this easier to
maintain, look at AzMan instead. With it, you program to more granular
things called "operations". Operations map to tasks which map to roles
which map to principals (users and groups). All of that mapping policy is
done declaratively, so as long as the operations stay static and don't
overlap, you can change who gets to do them whenever you want at runtime via
configuration.

This is actually a complex topic and could fill a book. I'd suggest
Dominick's book if you want a good place to start.

Joe K.

 

[Dominick Baier]

Especially since there are ways to get around that if only security trimming
is applied...

Google for "EventValidation" - or - yes - have a look at my book....(see
link below)

 

[Steven Cheng[MSFT]]

Hi lmobile,

I agree with Joe. So far regarding on the question scenario you raised,
ASP.NET built-in declarative auhorization setting can not directly address
it(since it is per page based). If you want smaller granularity inside a
single page, you need to add some code to do the checking and
redirection(as Joe has mentioned). If you want a more reusable solution, I
think you can consider developing a custom button server control which
expose some additional property (and internal codelogic ) to do role
authorization... How do you think?

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.