Customizable Role-based Authorization

Discussion in 'ASP .Net' started by Snig, Apr 25, 2005.

  1. Snig

    Snig Guest

    Hi all

    I need to implement the following scenario in my application:
    1. Roles are stored in SQL-SERVER.
    2. Access Rights will be given to the roles by the administrator by the
    application itself.
    3. Access Rights will be given on functionality basis. e.g. some role
    can Add a new record, some can search for some particular records, some
    can update it etc. We have these functionality implemented by standard
    buttons in pages. Let's call these as "Access Areas".
    4. There are huge number of such Access Areas to be implemented in
    various pages. Though they are finite (means administrator cannot
    create/delete these access areas), but he can change the permission
    over an Aceess Area to a role.

    Solutions I thought:
    1. I can, of course, write few lines in individual pages, read the
    settings from database and apply. But I want to do this centrally, like
    in application_authorizerequest event of global.asax file.
    2. I can create custom/user controls for each of the Access Areas and
    implement security model onto that. But, we have developed the
    application too far before the customer has made this request.

    In this scenario, can somebody help me about how should I design the
    security model?

    Thanks
    Snig.
     
    Snig, Apr 25, 2005
    #1
    1. Advertising

  2. I successfully developed an app using role-based forms authentication by
    using the techniques outlined in these articles:

    http://support.microsoft.com/default.aspx?scid=kb;en-us;311495
    http://www.4guysfromrolla.com/webtech/121901-1.2.shtml

    Here is another article you may find useful as well:
    http://www.eggheadcafe.com/articles/20020906.asp

    --
    I hope this helps,
    Steve C. Orr, MCSD, MVP
    http://SteveOrr.net


    "Snig" <> wrote in message
    news:...
    > Hi all
    >
    > I need to implement the following scenario in my application:
    > 1. Roles are stored in SQL-SERVER.
    > 2. Access Rights will be given to the roles by the administrator by the
    > application itself.
    > 3. Access Rights will be given on functionality basis. e.g. some role
    > can Add a new record, some can search for some particular records, some
    > can update it etc. We have these functionality implemented by standard
    > buttons in pages. Let's call these as "Access Areas".
    > 4. There are huge number of such Access Areas to be implemented in
    > various pages. Though they are finite (means administrator cannot
    > create/delete these access areas), but he can change the permission
    > over an Aceess Area to a role.
    >
    > Solutions I thought:
    > 1. I can, of course, write few lines in individual pages, read the
    > settings from database and apply. But I want to do this centrally, like
    > in application_authorizerequest event of global.asax file.
    > 2. I can create custom/user controls for each of the Access Areas and
    > implement security model onto that. But, we have developed the
    > application too far before the customer has made this request.
    >
    > In this scenario, can somebody help me about how should I design the
    > security model?
    >
    > Thanks
    > Snig.
    >
     
    Steve C. Orr [MVP, MCSD], Apr 25, 2005
    #2
    1. Advertising

  3. Snig

    Snig Guest

    Thanks Steve.

    Can the mechanism referred by the links provided by you handle the
    enabling/disabling of controls of a particular page?
    Please note that the authorization should be applied on control/field
    level instead of the whole page ...

    Snig.
     
    Snig, Apr 25, 2005
    #3
  4. With a drip of code here and there you can do anything you want with the
    controls in the page.

    --
    I hope this helps,
    Steve C. Orr, MCSD, MVP
    http://SteveOrr.net


    "Snig" <> wrote in message
    news:...
    > Thanks Steve.
    >
    > Can the mechanism referred by the links provided by you handle the
    > enabling/disabling of controls of a particular page?
    > Please note that the authorization should be applied on control/field
    > level instead of the whole page ...
    >
    > Snig.
    >
     
    Steve C. Orr [MVP, MCSD], Apr 25, 2005
    #4
  5. Snig

    Snig Guest

    Well, thats what I was trying to assert.
    The security model implementation should not be scattered here and
    there!

    Can I control the whole security framework in global.asax file itself
    by implementing custom HTTPModule?
     
    Snig, Apr 25, 2005
    #5
  6. This sounds possible, but not very easy in ASP.NET 1.x.

    The new capabilities in ASP.NET 2.0 will provide enhanced capabilities in
    this area.

    --
    I hope this helps,
    Steve C. Orr, MCSD, MVP
    http://SteveOrr.net


    "Snig" <> wrote in message
    news:...
    > Well, thats what I was trying to assert.
    > The security model implementation should not be scattered here and
    > there!
    >
    > Can I control the whole security framework in global.asax file itself
    > by implementing custom HTTPModule?
    >
     
    Steve C. Orr [MVP, MCSD], Apr 25, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?UFRC?=

    Role-Based Authorization

    =?Utf-8?B?UFRC?=, Apr 17, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    421
    Steve C. Orr [MVP, MCSD]
    Apr 17, 2004
  2. Chris
    Replies:
    0
    Views:
    368
    Chris
    Dec 21, 2006
  3. Bob Osborne
    Replies:
    0
    Views:
    215
    Bob Osborne
    Nov 18, 2003
  4. Snig

    Customizable Role-based Authorization

    Snig, Apr 25, 2005, in forum: ASP .Net Security
    Replies:
    4
    Views:
    160
  5. Kursat
    Replies:
    1
    Views:
    325
    Dominick Baier
    May 7, 2007
Loading...

Share This Page