In ASP.NET, what to use to manage the roles and permissions assigned to roles?
I am working on ASP.NET web application. I have this well-known issue: each user can belong to one or more roles (administrator, public users) and each role can have one or more permissions (can edit, delete, upload, etc.) and vice versa. I want to do something like this: [ http://demo.sitefinity.com/Sitefinity/Admin/Modules.aspx?route=GenericControlPanel.PermissionsView `1].
I found these options to implement this:
- using NetSqlAzMan (but I'm not sure if it will work with our application since our users are not stored in the same db as the application and since we are using forms authentication)
- implementing my own classes that allow me to do: User.HasPermission / AddPermissionToUser / etc.
- using 2 role providers, one to manage roles, one to manage permissions, knowing that these providers will be "linked" because of the m: n relationship between roles and permissions.
- I am currently using a custom role provider, so another option would be to add methods to manage permissions for that provider.
I want to cache roles and permissions for a given user as well. I think it will take me a while to do it myself, so what do you suggest me?
Thank you in advance
source to share
If you find a good packaged solution for the permissions module, I'd love to see it :)
Generally speaking, built-in security providers stop after the "identification" and "authorization" part. Once identified and authorized to access the application, you may be given more specific page or functional level permissions to encode and control you.
The permission level you are describing is actually quite advanced to implement. It displays Access Control Lists (ACLs) in windows. While this looks pretty straightforward, it's actually quite difficult to code. After you develop it, you will find that you need to implement the "deny" override permission, which should handle multi-level group merges, and then deal with "special" permissions, and so on. Then you run into things like "Edit permissions are also viewable, and what should I do if they don't have a view, but do I add"?
It can be a real mess.
Before embarking on implementing permissions at this difficulty level, I highly recommend that you step back and see if you can smooth out your permissions and role / group a bit. Can't you just get away from making your roles permissions? For example, a role for people who can edit, a role for people who can add, a role for people who can view ... etc.
In most applications, you don't really need a full ACL like the granularity in the permission system.
Once you've identified the appropriate permission level that your application actually requires, it's usually best for you to roll back a set of custom objects to manage those permissions. I must say that I never considered using a second linked role provider as a permission manager before ... something like a brilliant idea. But I would suggest doing it. The role provider was not designed for what you are trying to do, and you may have to extend and override the default behavior so much that it would be easier and more maintainable just to use a custom implementation from scratch.
source to share
Here is a tool that combines authentication + permissions and roles + logging and auditing http://visual-guard.com/
Authentication can be Windows, in which case it implements SSO or username / password combination
There are 2 consoles available to manage users and permissions - One is more developer oriented and provides a wizard for uncoding permission definition (for .Net), deployment and versioning functionality. - The other is a web-based, non-technical user administrator focused on user accounts, groups and their mapping to roles.
Permits can be extremely fine-grained with some conditions (this form is visible to the role of "doctors" from 8 am to 11 am because it is associated with medications that must be given only in the morning)
It was originally only .Net oriented and now they support other technologies like Java, Delphi C ++, basically any technology capable of invoking web services.
source to share