ASP.net member security access - asp.net

We are looking at enhanching our current security access model which is basically a check if the user is logged in. We now require the acesss to modules and pages and possible certain sections in the page such as dropdown restrictions based on your role.
I'm not sure how to design but maybe a few pointers and writing the requirements here will help.
The user usually belongs to an company.
The user usually has a role within that company
The company is made up of 1 or more sub companies
The user/role can have access to some modules in the system
The user/role can have access to some or all sub companies.
A role must be completely configurable on the fly.
A interface is required to configure the access for the users and the roles.
The menu needs to be configured based on access rights
The page needs to be configured based on access rights
We are using asp.net 2.0 at the moment but could possibly upgrade.
So based on that I think we need
User, Group, Role ( but roles need to be configurable) and Modules
A role for one organisation may have same name but have access to completely different Modules.
I am not sure asp.net membership is suitable so would like some opinions as it seams that access to pages is all hardcoded in config etc?

Yes, you can use ASP.Net Membership Provider for what you have stated.
As you said you are using ASP.Net 2.0, you cannot use new ASP.NET Universal Providers which is based on Entity Framework.
However, Membership Provider is introduced in ASP.Net 2.0. So you can still use the old version which uses aspnet_regsql.exe to create tables with the correct schema.
Here is the link for step-by-step instruction -
https://web.archive.org/web/20211020202857/http://www.4guysfromrolla.com/articles/120705-1.aspx
Please note that you cannot migrate from old ASP.Net 2.0 Membership to new Universal Providers.

Related

Custom membership provider for asp.net

I want to use NauckIT asp.net membership provider for Postgres.
I was playing with example and I managed to register/login/logout user. However, This membership provider also has role management, but i dont know how to use it.
My question is: Is it possible to use ASP.NET Configuration utility (the one you start from menu Project>ASP.NET Configuration) to create roles and users? How do I achieve this?
If this is not possible, Is there any other way to do this (besides inserting/update roles/users directly to Postgres DB - this is not much user friendly)
Thank you in advance
Roles are managed by a RoleProvider in ASP.Net
I would imagine if it has a custom Membership provider, then it would also have a custom role provider as well. If this is the case, then you can certainly use the out of the box Management Pages for ASP.Net as it simply uses the Role and Membership providers that are already defined.
It would appear that NauckIT does in fact have a role provider.
Again, the management pages should work just fine if following the instructions in the link above.

Asp.net mvc user management

In asp.net mvc default application you get he account controller which enable user registration, log in, log out and changing password.
I was wondering is it possible to implement litle more like enabling administrator to delete some user or give some user different roles like in asp.net configuration where you create user, roles and asign roles to users?
I already figured out and extend profile for users, so now they have much more infos and profile picture.
If you have any experience or examples of user management in asp.net mvc.
Although a bit outdated, this project maybe can give you a few hints on how to implement membership administration in ASP.NET MVC:
Asp.Net MVC Membership Starter Kit
Quote
What is the Asp.Net MVC Membership
Starter Kit?
The starter kit currently consists of
two things:
A sample website containing the controllers, models, and views needed
to administer users & roles.
A library that provides testable interfaces for administering users &
roles and concrete implementations of
those interfaces that wrap the
built-in Asp.Net Membership & Roles
providers.
Out of the box, the starter kit gives
you the following features:
List of Users
List of Roles
User Account Info
Change Email Address
Change a User's Roles
Update
For restricting certain operations to specific user roles, you can create these roles using the project I mentioned earlier, and then decorate your own application's controllers and/or actions with an Authorize attribute, referencing the desired roles:
[Authorize(Roles = "Administrator, HR")]
public ActionResult DeleteUser(int UserId)
{
// do something
}
This would prevent users that are not Administrator or HR to delete users.
Here is my try for a reusable user & role management:
https://github.com/Epstone/Simple-MVC-User-Management
If I were you I'd create a Admin "module" which handles all of these things. I don't know of any asp.net documentation on this, but if you look around on PHP documentation (Zend Framework, CakePHP or other) you get the basic ideas of the structures you should use to achieve this. Just remember to keep things seperated, admin stuff goes into a admin module not a user module (but maybe a user controller inside a admin module).
I answered a similar question here:
User Management in ASP.Net MVC 3
This provides you with an MVC 3 Razor based User Management Tool. This does not include Roles, but if you get this far, it should not be real difficult to add them.

ASP.NET - UserType-wise page access

Suppose I have 3 kinds of users and their accessible pages in my ASP.net application are as follows:
(1) User Type-A {Default.aspx, a.aspx, b.aspx and c.aspx},
(2) User Type-B {Default.aspx, d.aspx, e.aspx and f.aspx},
(4) Admin {Default.aspx and g.aspx}.
Here Default.aspx is my Login-page.
I am using Membership Provider and Forms authentication technique.
Now I need to block access of one type of user to the pages assigned for other type users.
How should I configure my Web.config file?
and What kind of c# code should be used?
Role management in asp.net may help you in this case. Please check this article.
You may have to customize this as per your specific requirement. Hope this helps.
Role Manager in ASP.NET
Each of User-Type will be associated with Roles.
We have a similar requirement, and make use of the Patterns and Practices Web Client Software Factory. Basically it assists you in creating modules, and allowing you to specify per-page access levels in config based on Role / User details.
You might have a try to use roleship provider and web.sitemap.

ASP.NET Windows Authentication with Custom Roles

If I am using Windows Authentication in an ASP.NET app, and I want to use custom roles instead of using Windows security groups as roles, do I need to write a custom Role provider? The solution needs to be able to map Windows users and groups to application specific roles.
If I understand your question - no you don't need to use roles from Active Directory security groups as roles for your ASP.NET application. And you dont need to implement a custom Role provider. The default one simply retrieves the Roles from the ASP.NET application database.
You can simply have application defined roles in this database, that you create with the aspnet_regsql.exe utility (in the .NET 2.0 framework folder).
Probably the greatest collections of resources/information on this topic:
http://weblogs.asp.net/scottgu/archive/2006/02/24/ASP.NET-2.0-Membership_2C00_-Roles_2C00_-Forms-Authentication_2C00_-and-Security-Resources-.aspx
Actually you CAN use the built in ASP.NET security configuration web site. You have to temporarily switch to Internet Mode, Then you can add users DOMAIN\username as username, enter some password (it won't be used once you switch back), you can then assign these to roles. Once you switch back to Windows mode these users will be used automatically.

ASP.NET 2.0 Security Membership Provider Pattern

I am creating a website in ASP MVC. Can anyone give me some advice on using the built-in membership provider in the following way.
I want my users to create an Administrative account for themselves and then create accounts for the people in their organization, or the people that they want to give access to.
I guess in a Database it will look something like this:
Companies have Administrators. Administrators can give users access.
I am sure this pattern is used all over the place, I am just not sure how to implement it. Especially using the membership providers.
Thanks,
David
There is nothing special in implementing this. It can be easily accomplished by built-in features of ASP.NET 2.0:
Configure Web site to use membership (via web.config)
Enable role management (via web.config <roles enabled="true"> tag)
Add administrator accounts to Administrators role.
Control access to the administrative pages by using [Authorize(Roles="Administrators")] attribute in the controller action.
Require authentication on other non-admin actions ([Authorize])
When I did this, I used the Membership Provider for authentication however, the organization concept I created externally from the Provider. You could use the Profile Provider.
As for roles I would still use the Roles within the ASP.Net Membership Model.
You can create a role for those people and name it something like organizational-admin, though that's a bit long, you catch my drift :). And give those the power to create users with a regular user role. At least that's how i did it in one of my applications.
Ofcourse you'll keep the admin to yourself or to the person who is in charge of this particular site.
Gu's blog has a small example of how to implement the roles in an action filter.

Resources