Site security config file and directories

[steven scaife]

I am creating a site for the intranet at the company i work for, but there
are 3 levels of security and a login form.

All users have to authenticate with the system. Logins are stored in a DB,
but i use windows authentication to find the account, this is working fine,
and i have set the forms login XML bit in the web.config.

However the 3 levels of security are as follows.

Standard
The user gets to fill out requests, search and view current requests.

Managers
They get to verify requests that are then sent to the directors plus the
standard pages

Directors
They get to authorise requests. plus they get the standard pages.

I am just wondering what the best way of setting security is, placing pages
into appropriate directories and using a web.config file to set the security,
or adding location paths tags to the web.config file, or writing my own
mechanism for verifying access.

What do you think is the best way, also i have my ASP.net exam coming up and
no doubt a question similar to this will pop-up, so it would be good to know.

regards

 

[Dominick Baier [DevelopMentor]]

if page/directory authorization is granular enough - use the <authorization>
element. Otherwise use intra-page calles to Context.User.IsInrole.

I personally recommend using <location> elements in root config to have all
config settings in one place - but technically there is no difference to
putting separate web.config files into sub directories (MS emphasizes this
approach)