Geek Answers Handbook

Data Layer Authorization in ASP.Net MVC 3

I need to develop a user management application. I need to authorize the user at the Ex data level:

Banking example:

  • Clients - Example: Bank1, Bank2, Bank3, Bank4.
  • Branch Status - Example: Stat1, State2, State3, State4
  • Branches Area - Example: Area1, Area2, Area3, Area4
  • Services - verification, direct debit, standing order

When a user logs in, he will be able to see only some clients, some state branches, some district branches depending on the branches, objects, etc. assigned to him in the user management application. These changes are for different users.

Please can someone help me at this level of authorization of any standard tools, or if there is no good db model for this?

+7
source share
3 answers

You need to implement your own Authorization mechanism, you need to create a checklist in which you save the user access level (provided that there are a lot of things), for example:

 UserAuthorization (UserId, EntityId, EntityType)

UserId : link to the user.

EntityId : identifier of the item you want to grant access to.

EntityType : the type of item you want to grant access to (client, state, county, object)

 +--------+----------+------------+ | UserId | EntityId | EntityType | +--------+----------+------------+ | 1 | 2 | CLIENT | | 1 | 2 | STATE | | 1 | 3 | DISTRICT | +--------+----------+------------+

You can use and should use an integer to represent EntityType, I wrote it as text for an example only.

+5
source

You can look at ClaimsPrincipal and use claims-based authorization. .Net 4.5 WIF is integrated. Here you can see a summary of http://msdn.microsoft.com/en-us/library/ms729851.aspx

You may have to create access control lists around each of the objects in the system. Ultimately, you need to have an easy way to uniquely identify the object that I was thinking using the GUID. Then a requirement is required for this GUID. Obviously, you become more complex and need read, write permissions. You can get a lot of complaints if you directly provide access to the object.

Ultimately, do you want to define permissions for individual objects? Maybe some kind of grouping is better? If you can manage a bank, you can manage all its states, if you manage your district, you manage all district branches, etc.

I would try to group users into groups and then assign permissions to groups. When you manage files in NTFS, you rarely get access to a single file.

If you grant someone permission for a group of people, first do some group checking, and if they don’t have this requirement, check the object.

You may need to make some custom materials using http://msdn.microsoft.com/en-us/library/system.security.claims.claimsauthorizationmanager.aspx . Submit the Application that you want to change the bank, etc., and then it checks if you have permission for this particular bank. I think you should do the logic for the ACL in the CheckAccess method.

Also see http://thinktecture.github.com/Thinktecture.IdentityModel.45/

I also found the following post http://leastprivilege.com/2012/06/24/approaches-to-server-side-authorization/ - read the Luceros sentence at the end. Basically as above

+1
source

Thanks for answers. Please find sample data. It can reach three / n levels.

User1d UserName

 USR1 John USR2 William USR3 Joseph USR4 Mathew USR5 George

ClientId ClientName

 CL1 Barclays CL2 LLoyds TSB CL3 Natwest CL4 Nationwide CL5 HSBC

CountryId CountryName

 CON1 England CON2 Wales CON3 Scotland CON4 Northern Ireland

CountryId CityId CityName

 CON1 CTY1 Liverpool CON1 CTY2 Waterloo CON1 CTY3 Piccadilly CON2 CTY4 Cardiff CON2 CTY5 Ammanford CON2 CTY6 Abergele CON3 CTY7 Glasgow CON3 CTY8 Edinburgh CON3 CTY9 Aberdeen CON4 CTY10 Belfast CON4 CTY11 Hannahstown CON4 CTY12 Springfield

CountryId CityId BranchId BranchName

 CON1 CTY1 BRC1 Branch1 CON1 CTY1 BRC2 Branch2 CON1 CTY1 BRC3 Branch3 CON2 CTY4 BRC4 Branch4 CON2 CTY4 BRC5 Branch5 CON2 CTY4 BRC6 Branch6

UserId ClientId CountryId CityId BranchId

  USR1 CL1 CON1 CTY1 BRC1 USR1 CL1 CON1 CTY1 BRC2 USR2 CL2 CON1 CTY1 BRC1 USR2 CL2 CON1 CTY1 BRC2
0
source

More articles:


All Articles