ASP.NET Security Roles and Permissions

Question

ASP.NET Security Roles and Permissions

I like the ASP.NET security model, through which you can allow / deny access to users in web.config based on what roles they are located, for example.

<system.web> <authorization> <allow roles = "Admin" /> </authorization> </system.web>

However, what I want to do is give the user administrator a set of permissions that can then be checked, for example. admin user with permissions such as "can print documents", "delete document"

Is this possible because of this, or do I need to go down a special route?

+6

asp.net asp.net-membership

Ajm May 14, '09 at 11:54

source share

5 answers

Joe · Answer 1 · 2009-05-14T12:02:14+0000

You can use Azman as described in this MSDN article .

But there are a few things in Azman that I don’t like, so I included my roles as a complement to RoleProvider (additional tables, APIs and administrative tools that control the display of permissions for roles).

My custom implementation is very simple:

MN relationship between roles and permissions.
API "HasPermission", which checks whether the given head has the given permission. It simply repeats through all the roles and checks if the role has the given permission. Mapping permission roles are cached using the ASP.NET cache for performance reasons.

blowdart · Answer 2 · 2009-05-14T11:56:10+0000

This is not out of the box; but if you want to be more granular, why not have granular roles like "CanPrint", "CanDelete", and not wider ones, like "Admin"?

If they need a container type script that you indicate in your comments, you can configure your own IPrincipal - where, after authentication, and with each new request you look at membership in the user role ("Admin", "Public", etc. ), and then override IsInRole on your IPrincipal. You can find an example here.

ahaliav fox · Answer 3 · 2013-11-14T08:12:49+0000

I found this article that gives a good example

 [Flags] public enum Permissions { View = (1 << 0), Add = (1 << 1), Edit = (1 << 2), Delete = (1 << 3), Admin = (View | Add | Edit | Delete) } public ActionResult Authenticate(string username, string password) { var user = authenticationService.Authenticate(username, password); Session["User"] = user; return RedirectToAction("Somewhere", "Else"); } public class PermissionsAttribute : ActionFilterAttribute { private readonly Permissions required; public PermissionsAttribute(Permissions required) { this.required = required; } public override void OnActionExecuting(ActionExecutingContext filterContext) { var user = filterContext.HttpContext.Session.GetUser(); if (user == null) { //send them off to the login page var url = new UrlHelper(filterContext.RequestContext); var loginUrl = url.Content("~/Home/Login"); filterContext.HttpContext.Response.Redirect(loginUrl, true); } else { if (!user.HasPermissions(required)) { throw new AuthenticationException("You do not have the necessary permission to perform this action"); } } } } [Permissions(Permissions.View)] public ActionResult Index() { // ... }

dr. · Answer 4 · 2009-10-16T19:52:58+0000

You can return PERMISSIONS instead of ROLES to your RoleProvider.

 public override string[] GetRolesForUser(string username) { return GetGrantedPermissions(userName); }

Then create your admin pages to add the rights granted to the role and, of course, the user to the role.

Pqw · Answer 5 · 2009-05-14T11:59:29+0000

Yes it is possible. Create the necessary roles, add users to the roles, and then just check User.IsInRole in your code, where you perform an action that requires this role.

Take a look at the Roles and MemberShip classes in System.Web.Security

ASP.NET Security Roles and Permissions

More articles: