Role management using Classic ASP and VBScript

Hello experts:

I am using Classic ASP, VBScript, MS-Access and Godaddy shared hosting.

I am trying to build a website that will have folks with different roles logging in to do specific tasks.

For example, I will have SuperAdmin, Admin, Operators, Sales.

What is the easiest way for a noob like me to accomplish this?  They would log in using their email address and a password, but how will I tell the system

1.)  who can go where and,
2.)  carry this "credential" from page to page?

Any input will be greatly appreciated.


Who is Participating?
markdmacConnect With a Mentor Commented:
I think this link will help you out:
tobzzzConnect With a Mentor Commented:
Hi driven13

In your MS Access database, you should create a table called logins. In that table, store email address, password and accesslevel. You could make accesslevel an id number:
1 = SuperAdmin,
2 = Admin
3 = Operators
4 = Sales
Next, you would create a login page where the person enters their email and password. YOu would then reference this against the database, if the username and password match an entry you should return the accesslevel id to your asp page. So the SQL would be something like
SELECT accesslevel FROM logins WHERE email = request.form("email") and password = request.form("pass")
If there are 0 results response.write a message like "log in not found"
If there is a result, set a session which will stay in the browsers memory indicating what the users access level is. Maybe in a select case statment like:
Select Case accesslevel
    CASE 1 : session("loginType") = "SuperAdmin"
    CASE 2:  session("loginType") = "Admin"
End Select
Then in the pages in the secure area you can check the login type has sufficient privilegde to access the pages:
<% If session("LoginType") <> "Admin" then response.redirect("Main.asp") %>

Good Luck!
The login system is the easy part. Note that there are different variants. The different roles could have cumulative rights ("operator" can do everything "sales" can plus something more, "admin" can do everything "operator" can do plus something more etc), or the different roles could have specifically defined rights which are not necessarily cumulative.

The hard part is to implement the roles in the actual pages.

What I have done in such a situation is to list all functionality in the application into a table in the database. In another table in the database I have listed all .asp pages in the application, with a reference to the functionality. Lastly there is a table for permissions where each defined role is mapped with the defined functionalites as "none", "read" or "edit".

A generic include is used in each page which finds the current page-name (as in "thispage.asp"), gets the functionality of this page from the database and checks the permissions of the role of the current user.

You could simplify it by organizing asp pages in directories and grant grant permissions to roles on certain directories (in my case that was not a good solution).

All Courses

From novice to tech pro — start learning today.