I'm building a management/reporting web project in c#, asp.net 3.5 and I'm using the .net membership and roles framework to manage the users of this web site.
In the site there will be an admin section where administrators can manage all users and roles for the application. I also want to have a section that allows administrators to manage the authorization rules for the application, much like the WSAT only this would be in the production environment.
Firstly, is there any way to implement authorization rules without adding <authorization> nodes to the web.config file???
I've looked at the 4guysfromrolla article on how to roll your own WSAT
but I'm not sure that I want to be editing the web.config file on the fly in a production environment.
Would I be better off storing my own authorization rules in a DB and implementing them at Application_OnPostAuthenti
I haven't found a lot of information on managing authorization rules in a production environment....hopefully someone can point me in the right direction!