"Role Management" vs "User Management" in ASP.NET - asp.net

Question No 1
I am familiar with role management, a particular member in a particular role can do this and access this functionally. What I need to do is Manage individual user, not the role he is in.
For example, lets say I create a role, called "Sales". I setup the role permission what the sales persons can do. Now i want to keep a check on individual user. For example if this is "john", i want to show him the records only he created. If his is peter, I want to show him only that records which he created, not by john or other sales people.
Is there a thing called "User Management" in ASP.NET that we can use? If not we have to create it ourselves and I believe the integration with ASP.NET "Role Management" will not be that smooth.
Question No 2.
I am using control for user login. I want to create a session at this time so I can keep track of which user is signed in so I can show him the records only pertaining to him. How can I do that?

Your Q1 isn't really about Role vs User management (ie: authorizations) at this point. It's about audit tracking within your application.
And the way you do that is you capture the ID of the user who created the record in question with the record, so that later you can filter on that ID.
Pseudo database structure
Table Sales
Field...
Field...
Field...
CreatedByUser int not null, -- Populate this on creation and never change it again
ModifiedByUser int not null - populate this on every row update including insert

See ASP.NET Profile Properties.
Assuming the records in the database correspond to a unique ID for a user, you can store the unique id in a profile property per user.

1) If you want to filter records by the creating user, you need to record in your table the ID of the user who created the record. You can access the name of current user through User.Identity.Name and their ID (provider-dependent) through User.ProviderUserKey.
2) Sessions are created automatically in ASP.NET and provided you have a properly configured MembershipProvider, you can retrieve all the needed user info using the User object as shown above.
It sounds like you are a little unfamiliar with ASP.NET Membership and Roles capabilities, because they are actually set up quite well to accomplish what you are describing. I would recommend checking out this tutorial series:
https://web.archive.org/web/20211020202857/http://www.4guysfromrolla.com/articles/120705-1.aspx

You are talking about Authentication and Authorization. For question 1 you and implement a custom authorization provider to allow for user level control http://msdn.microsoft.com/en-us/library/aa479048.aspx For question 2, once you log in and are Authenticated, the session contains a userprinciple object that has the info in it automatically.

Related

Ensuring user is updating its own record

I'm building a simple web form which allows user to edit there data like email, emergency contact etc.
The edit form is rendered using Asp.NET MVC 5. Proper html fields are rendered for Id, email, emergency contact etc.
Lets say the request to save the data is received by the following controller method.
SaveData(recordId, email, emergencyContact)
{
;
}
Question: How do I make sure that recordId was indeed the id that was rendered as part of the edit form? We don't want this user to update another user's record.
I have the following options in mind
1. Create a hash of the record id and send the hash as well.
2. Ensure user is authorized to modify the record indicated in given record id.
Is there any other way? Does MVC 5 provide any features so that I don't have to put this sort of logic in my application logic?
Typical approaches are:
Store the ID of the record as a hidden field. If you are concerned with hijacking, encrypt the value and decrypt on the server.
Store the ID of the record in session; this way, you always pull back the record and keep the value on the server. But when session dies, so does the link to the record.
Yes I'd highly recommend check permissions to the record if you store the ID in the URL.

Allow asp.net sqlmembership users to create "subusers"

I've tried searching this for days and can't seem to find an adequate answer so I'll ask here.
I'm building an asp.net Membership website.
What I want to do is:
Allow a user to create an account - say UserA
I then want to allow UserA to create "sub accounts" tied into his account, but with different roles as well as different login names (I'll be using email address as the login name)
UserA would be the account admin of sorts.
UserA's sub accounts would be less "adminish" than UserA, but any data that they write to my DB (Entity Framework) would still be tied to the main UserA account which will be referenced to my tables via Membership.GetUser() API calls.
So 2 questions:
1) How would I reference the Membership tables in my EntityDataModel using DB First (I already ran the aspnet_regsql.exe)
2) How would I need to go about allowing UserA to create his own sub users?
Here's an image of my custom tables:
[MasterAccountUser]
MasterAccountId = aspnet_Membership.UserId
AccountNumber = autoincrement number
[UserAccount] - subaccount of [MasterUserAccount]
AccountId = aspnet_Membership.UserId (if I have to have each user create their own)
MasterAccountId = aspnet_Membership.UserId (but the same one as the [MasterAccountUser]
If this is too vague, let me know and I can expand.
I was able to get this to work.
Basically, you just do the standard aspnetdb.mdf with all the in-place security features.
Then you simply add a table with the same fields, and then you reference the
MembershipUser.GetUser(Page.User.Identity.Name);
So you own table will have a "masteruser" with this User.ProviderKey. Every "sub-user" then has the SAME masteruser guid on their record so that they all fall under the same account.
If anyone want more details on how i got this to work, i can happily provide them.

Multiple ASP.NET Membership roles in the same Website

In my MVC3 application I have ASP.NET Membership roles like - Manager, System Admin and Editor
I am using Windows Authentication for the website and I am adding the users in the Network to the Membership just like in the following example -
http://weblogs.asp.net/scottgu/pages/Recipe_3A00_-Implementing-Role_2D00_Based-Security-with-ASP.NET-2.0-using-Windows-Authentication-and-SQL-Server.aspx
But, my problem is there are people who require multiple permissions. For example
User-John is the Manager of Department-ABC and he can see all the Actions in Department-ABC.
User-John is also Editor in Department-XYZ and he should be able to see all the Actions of an Editor in Department-XYZ;
but NOT the Actions of Manager; because he is not the Manager of Department-XYZ.
User Mathew is the Manager of Department-XYZ and he is an Editor in Department-ABC.
If I use normal role privileges, it will allow User-John to be the Manager of both departments and it is not right.
My solution is to store the DepartmentID, UserID and RoleID in a seperate table in SQL database and allow according to this table.
How can I get the role ID from ASP.NET Membership in C# and also in SQL?
Is it safe to do?
Is there a better solution?
Activity based membership would probably fit here.
In activity based membership your users get access to actions, not to roles.
Typical usage is:
One action = one activity
There are still roles given to users, but they are used to group activities
There is n..n relation between roles and activities
Activity is just a custom action filter that is applied to the action.
Typical example is here (although I don't like this approach, so I made my own implementation).
[Activity(Name="DoSomething")]
public ActionResult DoSomething()
{
...
return View();
}
Membership can be stored in ASP Membership database table, custom table or represented as AD group. Depends whether you implement custom membership provider or you use default implementation.
At the end, there has to be n..n relationship like RoleActivity, where you link the particular role to the activity (like Manager1 to both AddMemberToDepartment and AddComment, and Manager2 to just AddComment). This relation can be classic n..n database relation or 'virtual', where role is in AD and database table relates to it only via group name.
EDIT:
If you use default database role based authorization, table aspnet_Roles will be generated for you. To support activity based membership you will have to add your own activity table manualy, along with additional role-activity relation.
This schema should help you proceed.
aspnet_Roles (autogenerated)
* ApplicationId
* RoleId
* ...(other autogenerated columns)...
aspnet_MyActivity (add manually)
* ActivityId
* ApplicationId
* Name
* Description
aspnet_MyPermission (add manually)
* ApplicationId
* RoleId
* ActivityId
You can fill roles using membership provider.
Then fill manually your activities as your application needs them, say, one activity per action method.
Finally, manually add your activity permissions to roles.
Real world scenario
If your organization is small enough, it may be acceptable to add one role per department and one activity per action/deparment:
role: Dep. mgr. of ABC,
role: Dep. mgr. of XYZ,
activity: createAbcUser,
activity: createXyzUser
Connect them using appropriate permissions and you have your requirement covered.
However, for a large number of departments adding one role per department and giving activity permission for each of them can be a little awkward. In that case you should stick with simple role "Department manager" and simple activity "Create user", and give your manager permission to create user. However, you have to stop manager to create user in a different department - use your hierarchy for that, meaning, check if your user belongs to your manager.
Your action filter will then look like this:
check if any of current users roles has a permission to run that activity
check your hierarchy: does your current user have a permission to work on referenced user?
If both of these are true, action method can be executed.
NOTE: You will probably reference user by some input parameter, so your action filter has to access that parameter. See Getting the values of action parameters within an action filter to solve that.

Display own records in grid view

Im new to asp and i need u guys to guide me pls? Okay, lets just straight to the point. How to display current user who logged in to the system their own data? Like my system is about tracking expenses spent by user monthly. So, once user entered the expenses, prices for that particular month, it will be stored in db of course. But the tricky part here is when the user log in again, they should be able to view back their own records. So, basically i have a drop down menu which is used for month, Jan-Dec, grid view which to view all the particular user's records, view button (when user choose month,they click on the button and the grid view will show the expenses for that particular month) and thats all. So, if you guys have any idea, solution, pls tell me how. I would be appreciated if you could gimme the step by step to do that. Thank you.
|username|Month|Expense1|price 1| Expense2|Price2|....//this is the eg of my db structure
P/s: i dont know how to use HttpContext.Current.User.Identity.Name. If you could guide me by gimme the steps, that would be great! Thank you again.
Firstly, You must be having a Login form to login and view monthly expense and make new entries.
Now you can follow the below steps and make all your application working.
Assuming you have created the database to store new users information with there passwords and expenses table storing data related to the expense with respect to particular user after login.
Steps
once the user is logged in to your application. You can store the
User ID in Session.
This session can help you to take are which user is logged in or there are no users logged in currently to your application
since you have the database filled with all the details related to
expense. After login check if you have any user id in your session
or your session is null or not.
if you find any User ID session just pass this as a SqlParameter to your store Procedure and fetch all the records of this User id.
If you find any records bind your results to grid view. Otherwise display no records found and give a provision to Add new Expense Detail.
If you are using MemberShip API for Maintaining User Account and Login then you can user the HttpContext.Current.User.Identity.Name get the User ID from this name using MemberShip class in System.Web.Security namespace.
Hope the above steps are clear and you follow the functionality properly, to solve your problem.

aspnet_user table for storing customer information

When regsitering in my site (ASP.Net MVC application), the users get inserted into the aspnet_users table. Since its a shopping site, I would want the users to have a customer id and all their details provided by them at registration in this Customer table as well. How do I link these 2 tables? Is it recommended to use the aspnet_user's UserId(Guid) in the application for other business processes.
Also, I would like to know when should a new record be inserted into the customers table.
I mean, when should a new customer be created. I guess its not good to create a record as ans when users are registered? Here, I want to know whats the norm? I felt it would be better to add it when a user adds an item to the shopping cart. Pls guide me.
Thanks in advance.
Add the UserId field into your customer table and then make a foreign key relationship back to the UserId in the aspnet_users table if you want to enforce relational integrity.
I'm not sure what you mean about when to insert the customer record. As long as you insert it after you have created the user (so that you have the user ID), you should be fine. It can happen in the same postback.
I'm not sure how you are saving the user. As in are you using one of the built-in ASP.Net controls or making the call manually?
If you are using the Membership provider as it sounds like you are, you can save the member using:
var user = Membership.CreateUser;
Guid userKey = user.ProviderUserKey;
//Populate your customer object.
//now use whatever EF/ADO/etc... to save your customer record.

Resources