How many roles is too many?

Discussion in 'ASP .Net Security' started by Warm.Beer, Jun 13, 2006.

  1. Warm.Beer

    Warm.Beer Guest

    Hi there,

    We are upgrading an ASP classic application to ASP.NET 2.0, and
    currently have a permission set of about 200 distict permissions.

    I am thinking of using the Membership provider to map each permission
    to a named Role, so we can explicitly or declaritively check for a
    given permission within the relevant business logic code.

    My question then, is 200 Roles attached to a Principal object going to
    be too much of an overhead, especially if we are storing the role list
    in an encrypted cookie?

    What other alternatives should we look at, e.g. store the Roles list in
    cache with the SessionId as a lookup key (our total number of users is
    small, i.e. <1000).

    Thanks in advance,

    Warm.Beer, Jun 13, 2006
    1. Advertisements

  2. i would say thats the total upper limit - keep in mind that cookies are limited
    to 4KB plus encryption + integrity protection overhead. Try the RoleManager
    feature in 2.0.
    Dominick Baier [DevelopMentor], Jun 14, 2006
    1. Advertisements

  3. If you have less than 1000 users and more than 200 roles, I'd say that
    something is seriously wrong. Putting all 200 roles in a cookie would be
    out of the question for me. I'd probably choose to save the roles in the
    session or somewhere else on the server.

    You might also want to have a look at why there are so many roles.
    Because from your description there are approximately 3-5 users for each
    role you have which is an awful lot in my opinion. But there could
    ofcourse be good reasons for this, in which case you should ignore my

    I'd stay away from the cache as this would pose a security risk (the
    cache is shared between users) and could potentionally allow one user to
    alter other users assigned roles in process.

    Jesse Houwing
    Jesse Houwing, Jun 15, 2006
  4. Warm.Beer

    Warm.Beer Guest

    Thanks for the prompt replies, guys.

    I have definitely been turned off storing this amount of relately
    static data in the client cookie.

    The number and granularity of the permissions set is a business
    requirement, so we can't easily remove any flexibility currently used
    by our customers. BTW, it's ~1000 users per installation, not total
    (my bad!)

    I've had a bit of a look into the Membership/Role providers in 2.0, so
    will probably proceed down that path, as it gives enough flexibility
    without a lot of code.


    Warm.Beer, Jun 15, 2006
  5. You might want to check out a framework like AzMan. It allows you to map
    high level application roles to lower level tasks and operations. Perhaps
    the permissions in your app could be represented by operations and groups of
    them might roll up into higher level concepts?

    Joe K.
    Joe Kaplan \(MVP - ADSI\), Jun 18, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.