Geek Answers Handbook

Implementation of a company, division, user access control to management in MVC4 with EF

This is my first stackoverflow question, so please be careful. I am writing a client portal to the repository using MVC4, Entity Framework and SimpleMembership. The repository stores content for several companies. Each company has divisions and departments. Users will have different access to information for their company, departments and departments. I am looking for an elegant access control solution. So far, my model looks like this:

public class UserProfile { UserProfile() { this.AccessControl = new HashSet<AccessControl>(); } [Key] [DatabaseGeneratedAttribute(DatabaseGeneratedOption.Identity)] public int UserId { get; set; } public string UserName { get; set; } public Nullable<int> CompanyId { get; set; } public virtual ICollection<AccessControl> { get; set; } public virtual Company Company { get; set; } } public class AccessControl { public int AccessControlId { get; set; } public int UserId { get; set; } public int CompanyId { get; set; } public Nullable<int> DivisionId { get; set; } public Nullable<int> DepartmentId { get; set; } public Boolean ReadAccess { get; set; } public Boolean WriteAccess { get; set; } // other properties for access control public virtual UserProfile UserProfile { get; set; } public virtual Company Company { get; set; } public virtual Division Division { get; set; } public virtual Department Department { get; set; } } public class Content { public int ContentId { get; set; } public int CompanyId { get; set; } public int DivisionId { get; set; } public int DepartmentId { get; set; } // Various other properties public virtual Company Company { get; set; } public virtual Division Division { get; set; } public virtual Department { get; set; } }

My thought was that a NULL department means all departments, and a NULL Department means all departments. My questions:

  • What is an elegant way to write a repository method to retrieve a list of Content objects for a user based on their access control list, and populate the department and department selection lists in CRUD views?
  • Is there a better way to simulate this access control list?
+4
source share
2 answers

I don't think this applies to all your questions, but I think the repository looks something like this:

 public class accessRepository { accessContext context = new accessContext(); public IQueryable<Content> GetAccessibleContentFor(int userId) { var up = context.UserProfiles.Single(u => u.UserId == userId); var companyId = up.CompanyId; return from c in context.Content where c.CompanyId == companyId && (up.AccessControl.Any( a=> a.CompanyId == c.CompanyId && a.DivisionId == c.DivisionId && a.DepartmentId == c.DepartmentId) || up.AccessControl.Any( a=>a.CompanyId == c.CompanyId && a.DivisionId == c.DivisionId && a.DepartmentId == null) || up.AccessControl.Any( a=> a.CompanyId == c.CompanyId && a.DivisionId == null) select c; } }

will allow you to return available content if:

  • Content belongs to the user company.
  • The user can access the content for the company, department and department.
  • Or the user can access the content for the Company and the department (all departments).
  • Or the user can access the content for the Company (all divisions) [all divisions, it is assumed in this case.]
0
source

You should study the decision based on policies and attributes, which is independent of your application, where you can write authorization policies, for example.

a user can access content in a warehouse if content.department == user.department && & &&& & content.company == user.company.

XACML sounds like a perfect model. I wrote this demo, where I control access to purchase orders based on the buyer, the amount, location and software status. I do not need to change the application code because I use XACML from the outside.

0
source

More articles:


All Articles