Programatically manage .net authorization rules

Hi,
I'm building a management/reporting web project in c#, asp.net 3.5 and I'm using the .net membership and roles framework to manage the users of this web site.
In the site there will be an admin section where administrators can manage all users and roles for the application. I also want to have a section that allows administrators to manage the authorization rules for the application, much like the WSAT only this would be in the production environment.
Firstly, is there any way to implement authorization rules without adding <authorization> nodes to the web.config file???
I've looked at the 4guysfromrolla article on how to roll your own WSAT
http://aspnet.4guysfromrolla.com/articles/053007-1.aspx
but I'm not sure that I want to be editing the web.config file on the fly in a production environment.
Would I be better off storing my own authorization rules in a DB and implementing them at Application_OnPostAuthenticateRequest ??
I haven't found a lot of information on managing authorization rules in a production environment....hopefully someone can point me in the right direction!
dbyraAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rahul Goel ITILSenior Consultant - DeloitteCommented:
Hey you can write the membershipproviders and use that while authentication and role managements

Custom MembershipProviders
http://www.codeproject.com/KB/aspnet/WSSecurityProvider.aspx
http://www.devx.com/asp/Article/29256
 
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kbacCommented:
If you are just considering a configurable authorization at application level, you can define all possible authorization items in your database as a start:

AuthItId       AuthName                                      
1                  Products                                        
2                  Orders                                          
3                  Customers                                    

Then authorization actions (you can add these on the first table as well)

AuthAcID    FK_AuthItID          AuthAcName    
1                       1                      View Products
2                       2                      View Orders
3                       2                      Update Orders
4                       2                      Delete Orders
5                       3                      View Customers

You can directly assign the actions to your users, that you keep in the user table. Or you can add one more table (except the action - user relation table) for grouping those actions (such as roles), which are overriden by the user-actions relation table. I'll pass the roles table, go directly to the user-actions

FK_userID       FK_AuthActionID
1                                 2
2                                 2
2                                 3
2                                 4
2                                 5

You can make a stored procedure, and dynamically create relations between these actions and the related stored procedures

If you keep the userID in your session, and if you assign these AuthAcID values to the functionalities in your site, when each page is visited, each button is clicked, you can call the same function (having a logic like that:)

public boolean UserAuthorized (int vintUserID, int vintActionID)
{
.......
"select * where userID = " & vintUserID.ToString() & " and AuthAcID = " & vintActionID.ToString()

.....
return (#of records>0)
}

You are now doing the authorization depending on the database values (can be changed by the users) and the fixed functionality of the application (you have to change this when you change the code).

If you keep the authorization rights in your cache or session, then this won't be real time, and you'll have to put flags to follow if any change is made affecting that user and update authorization information in that situation.

You won't need the first table, unless you want to group the authorization actions by pages or subject in authorization editing pages.
0
kbacCommented:
Forgot to tell you;

you can use the UserAuthorized function like that:

If you put the AuthAcID values as constant values or variable values in your application:
cmdUpdateOrders.Enabled = UserAuthorized (Session("userID"), CONST_UpdateOrders)

Or you can declare the same variable in every function:
Private void CmdUpdateOrders_Click (......)
{
int lintFunctionID = 13;
cmdUpdateOrders.Enabled = UserAuthorized (Session("userID"), lintFunctionID)
...
}
and paste the 2 lines in every function, and only change the function id value according to the action values in db.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
.NET Programming

From novice to tech pro — start learning today.