Geek Answers Handbook

Permission design

I have an application that has content that needs to be configured for permissions (i.e. member / non-member)

I have role / authentication settings, this is not my problem. My question basically is how to best maintain permissions for each object. Essentially, there are the roles "Guest" and "Member", as well as simple Permissions "Allow" "Deny" for each object.

Any ideas? The program is written in ASP.NET MVC using C #, LINQ and MS-SQL 2005.

+7
linq asp.net-mvc sql-server-2005
source share
1 answer

If you want to protect assets (files, database rows, domain entities, documents, etc.) instead of application functions or user capabilities , role-based security does not work very well.

The best model is to use access control lists (ACLs), as you know from NTFS. You yourself said this because you need to assign specific permissions for each object to each user or role. This is what the ACL does.

If you need to protect objects that end up being strings in SQL Server, you will need to define custom tables for the ACL, because SQL Server does not support row-level permissions.

Based on the data in these ACLs, you must perform the necessary security checks on your data access components.

Here are some links to the relevant SO answers:

  • Access control in ASP.NET MVC depending on input parameters / service level?
  • What is the best mechanism for implementing granular security (i.e. authorization) in an ASP.NET MVC application?
  • How to implement an invitation code to share a resource with another user?
+7
source share

More articles:


All Articles