How many roles is too many?

[Warm.Beer]

Hi there,

We are upgrading an ASP classic application to ASP.NET 2.0, and
currently have a permission set of about 200 distict permissions.

I am thinking of using the Membership provider to map each permission
to a named Role, so we can explicitly or declaritively check for a
given permission within the relevant business logic code.

My question then, is 200 Roles attached to a Principal object going to
be too much of an overhead, especially if we are storing the role list
in an encrypted cookie?

What other alternatives should we look at, e.g. store the Roles list in
cache with the SessionId as a lookup key (our total number of users is
small, i.e. <1000).

Thanks in advance,

Brett

 

[Dominick Baier [DevelopMentor]]

i would say thats the total upper limit - keep in mind that cookies are limited
to 4KB plus encryption + integrity protection overhead. Try the RoleManager
feature in 2.0.

 

[Jesse Houwing]

Hi there,

We are upgrading an ASP classic application to ASP.NET 2.0, and
currently have a permission set of about 200 distict permissions.

I am thinking of using the Membership provider to map each permission
to a named Role, so we can explicitly or declaritively check for a
given permission within the relevant business logic code.

My question then, is 200 Roles attached to a Principal object going to
be too much of an overhead, especially if we are storing the role list
in an encrypted cookie?

What other alternatives should we look at, e.g. store the Roles list in
cache with the SessionId as a lookup key (our total number of users is
small, i.e. <1000).

Thanks in advance,

Brett

If you have less than 1000 users and more than 200 roles, I'd say that
something is seriously wrong. Putting all 200 roles in a cookie would be
out of the question for me. I'd probably choose to save the roles in the
session or somewhere else on the server.

You might also want to have a look at why there are so many roles.
Because from your description there are approximately 3-5 users for each
role you have which is an awful lot in my opinion. But there could
ofcourse be good reasons for this, in which case you should ignore my
comments.

I'd stay away from the cache as this would pose a security risk (the
cache is shared between users) and could potentionally allow one user to
alter other users assigned roles in process.

Jesse Houwing

 

[Warm.Beer]

Thanks for the prompt replies, guys.

I have definitely been turned off storing this amount of relately
static data in the client cookie.

The number and granularity of the permissions set is a business
requirement, so we can't easily remove any flexibility currently used
by our customers. BTW, it's ~1000 users per installation, not total
(my bad!)

I've had a bit of a look into the Membership/Role providers in 2.0, so
will probably proceed down that path, as it gives enough flexibility
without a lot of code.

Cheers,

Brett

 

[Joe Kaplan \(MVP - ADSI\)]

You might want to check out a framework like AzMan. It allows you to map
high level application roles to lower level tasks and operations. Perhaps
the permissions in your app could be represented by operations and groups of
them might roll up into higher level concepts?

Joe K.