Role based Security and Permissions

Discussion in 'ASP .Net Security' started by Suneel Jhangiani, Jun 3, 2004.

  1. Hi,

    I have been working on a framework for publishing several sites from a
    single code based allowing for easy modification by end users. I have based
    my code around the IBuySpy Portal sample, and am now looking at re-working
    the Security Model throughout the whole Framework.

    The first thing that should be said about my framework that differs from all
    others, is that tabs and modules can be created without being assigned to a
    portal. A Portal administrator can add new tabs or select an existing tab.
    In addition, when content is added the author can choose which portals the
    content can be displayed on by selecting them from a list box.

    When initially looking at the security I thought about having a permission
    based system, where by a user would have certain permissions. My initial
    thought was to place the User Permissions into a bit mask value that can be
    enumerated eg.:

    Public Enum Permissions

    None = &H0

    ViewUnApproved = &H1
    ViewApproved = &H2
    ViewUnPublished = &H4
    ViewPublished = &H8

    EditAll = &H10
    EditOwn = &H20
    DeleteAll = &H40
    DeleteOwn = &H80

    Add = &H100
    Translate = &H200
    Approve = &H400
    Publish = &H800

    End Enum


    Once I had done this I realized that I would need the permission to be
    stored based on a level eg.:

    Public Enum PermissionLevel

    None = &H0
    ContentLevel = &H1
    CategoryLevel = &H2
    ModuleLevel = &H4
    TabLevel = &H8
    PortalLevel = &H10
    SystemLevel = &H20

    End Enum

    Therefore, a user role would infact be a combination of the PermissionLevel,
    Permission bitmask, an Allow/Deny bit and an ItemID. The ItemID would relate
    to the level, so that if the PermissionLevel were set to TabLevel, then the
    ItemId would represent the Tab; likewise if it was set to PortalLevel than
    the ItemID would represent the Portal. The SystemLevel would not require an
    ItemID as it applies to whole the application and a user with all
    permissions at this level would be considered a super user.

    My idea by using the above is so that I can check a users permission in the
    following way:

    If User.HasPermission(PortalId, TabId, ModuleId, CategoryId, ItemID,
    ViewApproved OR ViewPublished) Then
    ' Display Approved or Published content
    End If

    Most of the other Portal Frameworks I have looked at use string based Roles
    and the User.IsInRole method to check permissions. However, this requires
    that a string of Roles be stored for each permission type (ie. IBuySpy uses
    AuthorizedRoles and AuthorizedEditRoles for view and edit permission
    respectively).

    My full concept would be to create several Groups that Users are assigned
    to. These groups are assigned permissions and as such a user inherits these
    permissions. However, I want to allow the ability for a single user to
    override a group permission. For example, a Group is created which can Add
    new content to a single page (Tab Level), but I want a single user within
    this group not to be able to add new announcements on this page, so I add a
    UserPermission to deny that user access to the Announcements Module. I have
    already worked this out at the database layer, I'm just stuck on the best
    way to implement this scenario in ASP.Net using Forms based Authentication
    and would appreciate any advice / pointers.

    I would also like to know if any one has any tips on how to make the model
    extensible, such that say a third-party writes a new module and wants to
    have specific permissions available to that module how can that be
    integrated? For example we create a Corporate Directory which includes
    Employee photographs, however we only want employees to see that
    photographs. Through the above design, it shold be as simple as extending
    the bitmask eg.:

    ViewPhotograph = &1000
    ViewAddress = &2000
    ViewPersonalInfo = &4000


    Hoping someone has some good advice,

    Suneel.
    Suneel Jhangiani, Jun 3, 2004
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jesper Stocholm
    Replies:
    2
    Views:
    8,061
    John Saunders
    Aug 23, 2003
  2. Liet Kynes
    Replies:
    0
    Views:
    471
    Liet Kynes
    Nov 26, 2003
  3. =?Utf-8?B?ZGF2aWQ=?=

    role based security and

    =?Utf-8?B?ZGF2aWQ=?=, Apr 15, 2005, in forum: ASP .Net
    Replies:
    7
    Views:
    373
    =?Utf-8?B?ZGF2aWQ=?=
    Apr 15, 2005
  4. A Mackie
    Replies:
    2
    Views:
    226
    A Mackie
    Oct 20, 2004
  5. Kursat
    Replies:
    1
    Views:
    298
    Dominick Baier
    May 7, 2007
Loading...

Share This Page