Implementing Field / Column Level Security in Web API

I have a .NET Web API that allows clients to return information about People and related data. There are several non-fixed roles (multi-population) in the system and each Role has access to certain fields, for example. The admin can see the date of birth, not the admin can.

Application structure:

Client Controllers> Business / Service Level> Repositories> Database

Data access is currently managed with a combination of EntityFramework for add / update / remove and Dapper for queries.

My question is, is there a deprecated standard / general approach to filtering field level data going to the client and returning from the client before updating the models in the database? Ideally, if there was a sample code or application to demonstrate the approach.

My initial thoughts on this are to filter the ViewModels before they are sent to the client and perform checks before updating the EntityFramework models, but that seems to be unrelated. Also I am not 100% on the best approach to this anyway.

Other possible options that I considered:

  • Use formatting to remove data before sending it to the client and a custom security attribute to filter data before being hit by controller actions.
  • Get away from EntityFramework and implement your own secured data access layer to handle all of these
  • Implementing security at the database level
  • ViewModel for each object per role, although I missed this value as with floating roles this can explode pretty quickly.

I don't know of any frameworks that offer field-level security, but many commercial products offer highly customizable field-level security, for example. SalesForce, Microsoft CRM, etc. And in essence I would like to implement something similar, but on a smaller scale.

+3


source to share





All Articles