Role based opinion needed - Not for app but for assets...

Discussion in 'ASP .Net Security' started by Cy Huckaba, Nov 18, 2003.

  1. Cy Huckaba

    Cy Huckaba Guest

    I have gone through newsgroups and several websites and have a pretty good
    handle on the role based security and dynamically displaying pages on our
    extranets based on roles and permissions. We are adding another layer of access
    permissions to our extranets and I need some opinions on the best way to acheive
    what we are trying to do.

    Currently our access levels look like this. Users are either internal or
    external and then within each of those groups there are 3 more access levels.

    Internal (Employees) - User | Manager | Executive

    External (Client) - User | Manager | Executive

    Some parts of pages and or datasets displayed contain internal and external
    records for users in the internal group and only external records for users in
    the external groups, etc. The user | mgr |exec sub groups not only provide
    access to who can view certain documents but also provide some admin privileges
    as well (edit/update/create) etc.

    We are adding another high level group called Vendors which will also contain
    the 3 sub groups as well. So that clients can open up some of the functions to
    outside vendors that we partner with to get projects done sometimes.

    Currently, assets that are up for review are taged with an internalOnly flag
    (boolean) and an minAccessLevel value (0 | 5 | 10) as well as the clientID. This
    will not work in the new scenario where vendors may or may note have access to
    every assets within a job. We are basically going to have to move to an ACL

    I don't know what the best way to approach this is. Do I have an ACL field that
    is comma seperated with all roles? Example (vendors that can access this asset
    would be xyz, abc) and another ACL field that says whether or not vendors even
    have access (groups that can have access are int, ext, ven)?

    Basically internal can see everything that satisfies the minimum access level.
    Clients are the same. Vendors may be able to see some things, but the clients do
    want to be able to specify access to which vendors. If something is posted by a
    vendor then only that vendor can see it, some vendors will be able to see all
    (super Vendors). I know this is vague and apologize.

    Any thoughts or links to articles you can provide would be greatly appreciated.
    Looking for thought process more than code here.


    Cy Huckaba
    T3 - Austin, TX
    Cy Huckaba, Nov 18, 2003
    1. Advertisements

  2. MSFT

    MSFT Guest


    I think you may consider add an ACL table in your database, and grant every
    resource a Resource ID and every role as role ID. In the ACL table, if
    there is a record for a specail role ID and resource ID, the role will have
    permission to view the resource. You can also add a field to the resource
    to indicate if a role can read/write/create the resource.

    Microsoft Online Support

    Get Secure!
    (This posting is provided "AS IS", with no warranties, and confers no
    MSFT, Nov 19, 2003
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jesper Stocholm
    John Saunders
    Aug 23, 2003
  2. Liet Kynes
    Liet Kynes
    Nov 26, 2003
  3. RC
    Nov 11, 2004
  4. Alex Maghen

    Forms-Based Authentiction and NON ASP.NET Assets

    Alex Maghen, Feb 20, 2005, in forum: ASP .Net Security
    Feb 22, 2005
  5. Kursat
    Dominick Baier
    May 7, 2007

Share This Page