How many roles is too many?

Discussion in 'ASP .Net Security' started by Warm.Beer@gmail.com, Jun 13, 2006.

  1. Guest

    Hi there,

    We are upgrading an ASP classic application to ASP.NET 2.0, and
    currently have a permission set of about 200 distict permissions.

    I am thinking of using the Membership provider to map each permission
    to a named Role, so we can explicitly or declaritively check for a
    given permission within the relevant business logic code.

    My question then, is 200 Roles attached to a Principal object going to
    be too much of an overhead, especially if we are storing the role list
    in an encrypted cookie?

    What other alternatives should we look at, e.g. store the Roles list in
    cache with the SessionId as a lookup key (our total number of users is
    small, i.e. <1000).

    Thanks in advance,

    Brett
     
    , Jun 13, 2006
    #1
    1. Advertising

  2. i would say thats the total upper limit - keep in mind that cookies are limited
    to 4KB plus encryption + integrity protection overhead. Try the RoleManager
    feature in 2.0.

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Hi there,
    >
    > We are upgrading an ASP classic application to ASP.NET 2.0, and
    > currently have a permission set of about 200 distict permissions.
    >
    > I am thinking of using the Membership provider to map each permission
    > to a named Role, so we can explicitly or declaritively check for a
    > given permission within the relevant business logic code.
    >
    > My question then, is 200 Roles attached to a Principal object going to
    > be too much of an overhead, especially if we are storing the role list
    > in an encrypted cookie?
    >
    > What other alternatives should we look at, e.g. store the Roles list
    > in cache with the SessionId as a lookup key (our total number of users
    > is small, i.e. <1000).
    >
    > Thanks in advance,
    >
    > Brett
    >
     
    Dominick Baier [DevelopMentor], Jun 14, 2006
    #2
    1. Advertising

  3. wrote:
    > Hi there,
    >
    > We are upgrading an ASP classic application to ASP.NET 2.0, and
    > currently have a permission set of about 200 distict permissions.
    >
    > I am thinking of using the Membership provider to map each permission
    > to a named Role, so we can explicitly or declaritively check for a
    > given permission within the relevant business logic code.
    >
    > My question then, is 200 Roles attached to a Principal object going to
    > be too much of an overhead, especially if we are storing the role list
    > in an encrypted cookie?
    >
    > What other alternatives should we look at, e.g. store the Roles list in
    > cache with the SessionId as a lookup key (our total number of users is
    > small, i.e. <1000).
    >
    > Thanks in advance,
    >
    > Brett
    >


    If you have less than 1000 users and more than 200 roles, I'd say that
    something is seriously wrong. Putting all 200 roles in a cookie would be
    out of the question for me. I'd probably choose to save the roles in the
    session or somewhere else on the server.

    You might also want to have a look at why there are so many roles.
    Because from your description there are approximately 3-5 users for each
    role you have which is an awful lot in my opinion. But there could
    ofcourse be good reasons for this, in which case you should ignore my
    comments.

    I'd stay away from the cache as this would pose a security risk (the
    cache is shared between users) and could potentionally allow one user to
    alter other users assigned roles in process.

    Jesse Houwing
     
    Jesse Houwing, Jun 15, 2006
    #3
  4. Guest

    Thanks for the prompt replies, guys.

    I have definitely been turned off storing this amount of relately
    static data in the client cookie.

    The number and granularity of the permissions set is a business
    requirement, so we can't easily remove any flexibility currently used
    by our customers. BTW, it's ~1000 users per installation, not total
    (my bad!)

    I've had a bit of a look into the Membership/Role providers in 2.0, so
    will probably proceed down that path, as it gives enough flexibility
    without a lot of code.

    Cheers,

    Brett
     
    , Jun 15, 2006
    #4
  5. You might want to check out a framework like AzMan. It allows you to map
    high level application roles to lower level tasks and operations. Perhaps
    the permissions in your app could be represented by operations and groups of
    them might roll up into higher level concepts?

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    <> wrote in message
    news:...
    > Thanks for the prompt replies, guys.
    >
    > I have definitely been turned off storing this amount of relately
    > static data in the client cookie.
    >
    > The number and granularity of the permissions set is a business
    > requirement, so we can't easily remove any flexibility currently used
    > by our customers. BTW, it's ~1000 users per installation, not total
    > (my bad!)
    >
    > I've had a bit of a look into the Membership/Role providers in 2.0, so
    > will probably proceed down that path, as it gives enough flexibility
    > without a lot of code.
    >
    > Cheers,
    >
    > Brett
    >
     
    Joe Kaplan \(MVP - ADSI\), Jun 18, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. peelman

    How many threads is too many?

    peelman, Jan 13, 2005, in forum: Java
    Replies:
    12
    Views:
    857
    Esmond Pitt
    Jan 15, 2005
  2. Rhino
    Replies:
    33
    Views:
    1,334
    Oliver Wong
    Dec 22, 2005
  3. rbt
    Replies:
    1
    Views:
    365
  4. Replies:
    0
    Views:
    597
  5. Dag Sunde
    Replies:
    4
    Views:
    373
Loading...

Share This Page