control-level security in ASP.NET

hello,
i want to make a page and more than a user can access the same page.
but each user can see the controls on the page depending on its rule.
for example
user of rule "admin" can see the button "add user", "delete user" and "help"
while the user of rule "member" can see only the buttons "help"

so the page i want to build will have 3 buttons but each user will only see what he is supposed to see only.


any suggestions of the best mechanism to implement such a security??

thanks in advance :)
Suma5566Asked:
Who is Participating?
 
JosephEricDavisConnect With a Mentor Commented:
I'm guessing you already have some sort of membership working in your site already so that you can identify the currently logged in user and what type of user role or group they belong to.

In the code behind in the page load you could give conditional logic to show or hide the different buttons based on which role the currently logged in user is part of.

If(User.IsInRole("admin"))
{
     btnAddUser.Visible = true;
     btnDeleteUser.Visible = true;
     btnHelp.Visible = true;
}
else if(User.IsInRol("member"))
{
     btnAddUser.Visible = false;
     btnDeleteUser.Visible = false;
     btnHelp.Visible = true;
}
0
 
Suma5566Author Commented:
thanks for your answer, i will consider your answer.

but i was thinking of a different solution, if you or another person may help me with it.

the idea is.....for example button "help" has property called "AllowedUsers" and this property can hold more than one value, lets say "Admin" and "Marketing".

for example, lets assume this code:

foreach(control cn in page.Controls)
{
     if(con.AllowedUsers.contains(LogedInUser.Role))
         con.visible=true;
     else
         con.visible = false;
}

I'm guessing if there is someway to implement it this way?
0
 
Kyle AbrahamsConnect With a Mentor Senior .Net DeveloperCommented:
you would have to extend each control to have an AllowedUsers property.

The other thing to do is to define roles within your application
eg(Read / Write)

then based on the groups assign the user the proper role.  This could be done on a page by page basis.  

Say marketing can adjust marketing material, and see sales material (but not edit).  Your example wouldn't handle this unless you modified AllowedUsers on the page load (which is dangerously close to Authorized Users who may or may not be able to view the page at all) . . . it seems more of a global thing to me.

By adding General application level roles you could specify Marketting has modify writes on some pages but not on others.

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.