Solved

Programatically manage .net authorization rules

Posted on 2009-07-07
4
880 Views
Last Modified: 2012-05-07
Hi,
I'm building a management/reporting web project in c#, asp.net 3.5 and I'm using the .net membership and roles framework to manage the users of this web site.
In the site there will be an admin section where administrators can manage all users and roles for the application. I also want to have a section that allows administrators to manage the authorization rules for the application, much like the WSAT only this would be in the production environment.
Firstly, is there any way to implement authorization rules without adding <authorization> nodes to the web.config file???
I've looked at the 4guysfromrolla article on how to roll your own WSAT
http://aspnet.4guysfromrolla.com/articles/053007-1.aspx
but I'm not sure that I want to be editing the web.config file on the fly in a production environment.
Would I be better off storing my own authorization rules in a DB and implementing them at Application_OnPostAuthenticateRequest ??
I haven't found a lot of information on managing authorization rules in a production environment....hopefully someone can point me in the right direction!
0
Comment
Question by:dbyra
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 9

Accepted Solution

by:
Rahul Goel ITIL earned 250 total points
ID: 24801199
Hey you can write the membershipproviders and use that while authentication and role managements

Custom MembershipProviders
http://www.codeproject.com/KB/aspnet/WSSecurityProvider.aspx
http://www.devx.com/asp/Article/29256
 
0
 
LVL 2

Assisted Solution

by:kbac
kbac earned 250 total points
ID: 24802931
If you are just considering a configurable authorization at application level, you can define all possible authorization items in your database as a start:

AuthItId       AuthName                                      
1                  Products                                        
2                  Orders                                          
3                  Customers                                    

Then authorization actions (you can add these on the first table as well)

AuthAcID    FK_AuthItID          AuthAcName    
1                       1                      View Products
2                       2                      View Orders
3                       2                      Update Orders
4                       2                      Delete Orders
5                       3                      View Customers

You can directly assign the actions to your users, that you keep in the user table. Or you can add one more table (except the action - user relation table) for grouping those actions (such as roles), which are overriden by the user-actions relation table. I'll pass the roles table, go directly to the user-actions

FK_userID       FK_AuthActionID
1                                 2
2                                 2
2                                 3
2                                 4
2                                 5

You can make a stored procedure, and dynamically create relations between these actions and the related stored procedures

If you keep the userID in your session, and if you assign these AuthAcID values to the functionalities in your site, when each page is visited, each button is clicked, you can call the same function (having a logic like that:)

public boolean UserAuthorized (int vintUserID, int vintActionID)
{
.......
"select * where userID = " & vintUserID.ToString() & " and AuthAcID = " & vintActionID.ToString()

.....
return (#of records>0)
}

You are now doing the authorization depending on the database values (can be changed by the users) and the fixed functionality of the application (you have to change this when you change the code).

If you keep the authorization rights in your cache or session, then this won't be real time, and you'll have to put flags to follow if any change is made affecting that user and update authorization information in that situation.

You won't need the first table, unless you want to group the authorization actions by pages or subject in authorization editing pages.
0
 
LVL 2

Expert Comment

by:kbac
ID: 24802979
Forgot to tell you;

you can use the UserAuthorized function like that:

If you put the AuthAcID values as constant values or variable values in your application:
cmdUpdateOrders.Enabled = UserAuthorized (Session("userID"), CONST_UpdateOrders)

Or you can declare the same variable in every function:
Private void CmdUpdateOrders_Click (......)
{
int lintFunctionID = 13;
cmdUpdateOrders.Enabled = UserAuthorized (Session("userID"), lintFunctionID)
...
}
and paste the 2 lines in every function, and only change the function id value according to the action values in db.
0

Featured Post

Enroll in May's Course of the Month

May’s Course of the Month is now available! Experts Exchange’s Premium Members and Team Accounts have access to a complimentary course each month as part of their membership—an extra way to increase training and boost professional development.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Hi all,    While many today have fast Internet connection, there are many still who do not, or are connecting through devices with a slower connect, so light web pages and fast load times are still popular.    If your ASP.NET page …
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question