• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 252
  • Last Modified:

Migrating Intranet/Internet Administration

Hi,
We are in the process of migrating our current sites from ASP to ASP.NET and I would like to change the way our admin section is set up.  This is the way we have it currently:
We have a table of Administrators that contains their names, etc and also contains their permissions to the various admin tasks.  Each task has a bit field in the table and if the administrator can access that task then they get a 1 and if not then they get a 0.  

The permissions are changed by either checking or unchecking a checkbox. When they login their permissions are read from the table and they are assigned a session variable that looks like this "YNNNNNNNNNNNNNNNNN", each Y stands for the tasks that they are allowed to perform.  

The navigation is an included page which only displays the tasks that they have permissions to.  Each page checks the location of it's "Y" against the session to validate the user like this:
if mid(permission,1,1) = "Y" then
      if mid(session("permissions"),1,1) = "Y" then
            allowedtogo=true
      end if
end if

I realize that this is a VERY poor way to set this up (I didn't create it) and I want to change this during our migration.  Some of the tasks are divided up into sections and then the sections are divided up into categories.  We want to change this so that the users who have permissions to tasks only have permissions to specific sections in those tasks if there are sections.  

For example, if a user is supposed to manage the links for the General and Accounting sections then they shouldn't be able to see or change any links that belong to other sections.

Also, sometimes we have to add or remove sections or categories.  We are thinking along the lines of having groups set up but there are only about 15 administrators right now and we are not sure how to go abou doing this.

Has anyone set something like this up before?

My question is: Can you tell me the BEST way to do this?  We are using as MSSQL 7 DB

Thanks in advance,
Ana
0
anastasiawinters
Asked:
anastasiawinters
  • 5
  • 5
  • 2
1 Solution
 
nauman_ahmedCommented:
Its kinda like managing a profile center where you define application, and give user rights over a specific applications depending on the roles defined for that application. Currently I am using the following approach that consists of following tables:

Application: This define the application, its name its purpose
ApplicationAccess:This define the access level an applicaiton can have e.g. administrator, editor, author etc
User: User specific table
UserRights: This define user id, application, and user rights over that application.

At the time of loging in, you need to loop through UserRights table and find if user has rights to access its application. In the code, you can easily enable/disable various features of an application depending on the user role.

Hope this will help, nauman
0
 
anastasiawintersAuthor Commented:
do you have it set up in groups of users or individually?
0
 
nauman_ahmedCommented:
You can extend the functionality to set user permission based on groups. I am planning to do that for one of my application but didnt implemented it yet....It will give you more flexibility.....

Best, Nauman
0
Cloud Class® Course: CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

 
anastasiawintersAuthor Commented:
Thanks,

I'd like to hear to opinions of anyone else as well.
0
 
AerosSagaCommented:
Check here for all your options:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconaspnetauthentication.asp

Active Directory Integration is by far the best, but from your description the ASP.NET Forms Authentication should be able to do everything you want, and fix that awful mess you described.

Regards,

Aeros
0
 
anastasiawintersAuthor Commented:
Thanks, have you used this before?

How do set this up so that I can not only validate the users but also display and allow only their allowed tasks?
0
 
AerosSagaCommented:
Yes I use it for some of our intranet applications that ppl have to access on *nix systems.  The link has all the details I suggest you take your info from there put I'll post some code to demonstrate.  First Make sure something like this is in your web.cofig file.

<authentication mode="Forms" > 
    <forms name="synthesis" loginUrl="login.aspx" timeout="30" />
      </authentication>

Then here is the vb you use to allow/disallow access:

Private Sub ProcessLoginRequest(ByVal RedirectPage As String)
        Dim Login As String = Me.txtLogin.Text
        Dim Password As String = Me.txtPassword.Text
        Select Case AuthenticateLogin(Login, Password)
            Case 0
                Me.lblMsg.Visible = True
                Me.lblMsg.Text = "Invalid Credentials"
            Case 1
                Dim Roles As String
                Dim authTicket As FormsAuthenticationTicket
                Dim encTicket As String
                Dim cookie As HttpCookie
                                authTicket = New FormsAuthenticationTicket(1, Login, Now(), Now.AddMinutes(30), False, Roles)
                encTicket = FormsAuthentication.Encrypt(authTicket)
                cookie = New HttpCookie(FormsAuthentication.FormsCookieName, encTicket)
                Response.Cookies.Add(cookie)
                Response.Redirect("MyRedirectPage.aspx")
        End Select
    End Sub

Then on the redirect page you can make items visible/invisible based on the roles you create...see link in above post for howto

 Private Sub Page_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
        'Put user code to initialize the page here
        Dim authTicket As FormsAuthenticationTicket
        Dim fi As FormsIdentity = CType(HttpContext.Current.User.Identity, FormsIdentity)
        authTicket = fi.Ticket
        HttpContext.Current.User = New GenericPrincipal(User.Identity, Split(authTicket.UserData, ","))
        If HttpContext.Current.User.IsInRole("User") Then
        End If
        If HttpContext.Current.User.IsInRole("Admin") Then
            Me.lbEdit.Visible = True
            Me.lbNewJob.Visible = True
        End If
    End Sub

Hope that clears it up for you.

Regards,

Aeros
0
 
anastasiawintersAuthor Commented:
Thanks, that example makes the use of it much clearer but how do I set that up in the database?

Also, we have an administration page that allows the (selected)administrators to change the permissions of other users.  Can you do that with this authentication too?
0
 
AerosSagaCommented:
yes just create a db table with fields for UserName, Password, the user role, etc.  you will have to right a little function to retrieve these values like so, after that you can use the HttpContext.CurrentUser.IsInRole to do whatever else you need.

 Private Function AuthenticateLogin(ByVal Login As String, ByVal Password As String) As Integer
        'Authenticates the user against the database
        Dim cmd As New SqlCommand
        Dim ReturnValue As Integer
        cmd.Connection = New SqlConnection(ConfigurationSettings.AppSettings("EmeraldConnStr"))
        cmd.CommandType = CommandType.StoredProcedure
        cmd.CommandText = "SynthesisAuthenticateLogin"
        cmd.Parameters.Add(New SqlParameter("@Login", Login))
        cmd.Parameters.Add(New SqlParameter("@Password", Password))
        cmd.Parameters.Add(New SqlParameter("@ReturnCode", DbType.Int32))
        cmd.Parameters("@ReturnCode").Direction = ParameterDirection.ReturnValue
        cmd.Connection.Open()
        cmd.ExecuteNonQuery()
        cmd.Connection.Close()
        ReturnValue = CInt(cmd.Parameters("@ReturnCode").Value)
        cmd.Connection.Dispose()
        cmd.Dispose()
        Return ReturnValue
    End Function
    Private Function GetRolesString(ByVal Login As String) As String
        'Returns a comma-delimited string of the user's roles
        '---------------------------------------------------------------------------------
        'For testing purposes, you can hard-code the role list and skip the database stuff
        'Return "User"
        '---------------------------------------------------------------------------------
        Dim cmd As New SqlCommand
        Dim dr As SqlDataReader
        Dim Roles As String
        cmd.Connection = New SqlConnection(ConfigurationSettings.AppSettings("EmeraldConnStr"))
        cmd.CommandType = CommandType.StoredProcedure
        cmd.CommandText = "SynthesisGetOperatorRoles"
        cmd.Parameters.Add(New SqlParameter("@Login", Login))
        cmd.Connection.Open()
        dr = cmd.ExecuteReader(CommandBehavior.CloseConnection)
        If dr.Read Then
            Roles = CStr(dr("RoleList"))
        End If
        dr.Close()
        dr = Nothing
        cmd.Connection.Dispose()
        cmd.Dispose()
        Return Roles.ToString
    End Function

Regards,

Aeros
0
 
AerosSagaCommented:
Just edit the roles in the DB in the administration page, easy!!

0
 
anastasiawintersAuthor Commented:
Nice, thanks for your quick responses.

I'm not going to use it yet as we need to decide the exact structure but you've given me a lot of useful information.
0
 
AerosSagaCommented:
No problem, glad I could be of assistance.

Regards,

Aeros
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

  • 5
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now