Dynamic Roles in ASP.NET 2.0
Greeting Experts,
We have a website written in ASP.NET 2.0 with numerous users. Each user’s access to various pages is controlled through the standard framework Roles. Specifically, the roles are stored in the aspnet_Roles table and the access is specified through the Web.config file using the ‘authorization / allow roles’ tag.
Example of roles include: “StandardUser” and “ManagerUser”
This works great! However, the data in the system has been divided into accounts and we now have a need to grant users different Roles (permissions) depending on which account they are in. For example User1 might be a “ManagerUser” in Account1 but a “StandardUser” in Account2. As the user switch between the two accounts, we need the Roles to switch accordingly, e.g. the management page should not be accessible while user is in Account2.
Note: Requiring the user to login with different names depending on the account is not an option.
What’s the best practice approach for handing this?
Thanks,
Karsten
We have a website written in ASP.NET 2.0 with numerous users. Each user’s access to various pages is controlled through the standard framework Roles. Specifically, the roles are stored in the aspnet_Roles table and the access is specified through the Web.config file using the ‘authorization / allow roles’ tag.
Example of roles include: “StandardUser” and “ManagerUser”
This works great! However, the data in the system has been divided into accounts and we now have a need to grant users different Roles (permissions) depending on which account they are in. For example User1 might be a “ManagerUser” in Account1 but a “StandardUser” in Account2. As the user switch between the two accounts, we need the Roles to switch accordingly, e.g. the management page should not be accessible while user is in Account2.
Note: Requiring the user to login with different names depending on the account is not an option.
What’s the best practice approach for handing this?
Thanks,
Karsten
ASKER
Thanks for the feedback. I understand that Roles are by user. I also understand that i'll need a way to specify the exact permissions for each user for each account.
My Question is what would be a best practice approach for implementing these dynamic roles? I'm hoping for suggestions on how I can leverage as much of the existing framework as possible. Is there a way to derive existing classes to achieve this? I want this to be a non-hack solution.
My Question is what would be a best practice approach for implementing these dynamic roles? I'm hoping for suggestions on how I can leverage as much of the existing framework as possible. Is there a way to derive existing classes to achieve this? I want this to be a non-hack solution.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'll update this answer if I find a better appproach while working on this area.
ASKER
FYI: I ended up writing a custom RoleProvider to replace the default SQLRoleProvider. Even thought this required significantly more code to be written it is much more flexible and allows us to do what we want today and in the future.
now you need something by is by the data/object/item level, let's call this X
come up a term for the X, maybe like data-access-scheme
everytime items are by default non-accessible, admin need to explicit define what the user/role can do on specific type of data (Account1, Account2)
- CRUD permissions
you would best define a proper term/scheme-level/data-att
maybe like "general-data", "finanicial-sensitive-data
you either fix/hardcode the Q pertain to the data in your code, or come up another engine to allow configuration