I am building a subscription based web site, which currently has three subscription levels, i.e. Horses, Soccer, and Horses and Soccer. I was thinking of implementing standard role based authorization, where a Horses subscriber would get roles including those to use the Horses section, etc.
Should I use a standard role provider, and when a member subscribes to the site, assign roles for his subscription to him, or use a hierarchical role provider, that when asked for the roles for a member, only then uses the member's subscription level to 'calculate' a set of roles for the member.
Approach 1 is more controlled and deterministic as opposed to approach 2.
It will depend on how many 'public' areas you have.. If there are manu public areas and roles apply only to chosen few content, I would go with option 2 otherwise option 1.
Seems to be aspnet roles and assing the roles seems like a good solution to me that requires minimal amount of code
Related
I've a question re how to cater for a specific scenario in the security model of D365/CRM.
Say we have User 1 and User 2 that are in the same business unit.
User 1 has full Business Unit read access to contacts.
User 2 has just user level read access to contacts.
We want User 1 to have visibility of all contact records that are available to all users in that business unit.
Using the OOB D365 security model - if somebody shares a contact with User 2 that is owned by a user from a another business unit, User 1 cannot see this contact record.
I'm just wondering what the best/cleanest way to resolve this requirement is?
Thank you
Just exploring options at this point. I believe one option is to create a team for the business unit that only user 1 gets added to and then also sharing the record with the team would work - but that seems to involve a lot of overhead in terms of maintaining shares etc.
Was hoping there might be a cleaner way to implement somehow using OOB functionality that I may not be fully aware of.
I have this project which is school management system, i have created Roles(Teacher,Admin,Staff) now i can assign what role is allowed to be viewed in each page and i want the Teacher Role to be more specific cos i have this page where the teacher can see all the list of subject that she/he teaches.
Now my problem is when the teacher login, i want all the subject of the current teacher who login can see her subjects only, right now with my role as (Teacher) they can see all the list of subject from other teachers too. Any idea on how to solve this? or what are the things i should add or learn to achieve my goal? i heard about MVC identity is it the one responsible for fixing this issue. appreciate if u guys could give me idea on how to deal with this. thanks!
If I did understand your problem correctly.what you are looking for is Resource Based Authorization (Authorization depends upon the resource being accessed). As far as I know, this can not be done with declarative security.
In order to gain such flexibility, you have to call an authorization function inside the action method.
Depending on the result of that authorization function, you can return 403 or the required resource.
Speaking of your requirement, extract the user id inside your action method and filter out other teachers' subjects.
If you are using ASP.Net Identity this link may help you to get started.
My client has a three tier organizational model, with 184 total business units. I imported the business units from file, which created a default team for each business unit. Unfortunately these teams by default have no user roles and cannot be assigned ownership of entities.
My next move was to select all of my teams and do a bulk "Manage Roles" to set all teams to have a user role of Customer Service Rep. This results in a warning that "You have selected users from different business units. Users cannot be assigned roles from business units outside their own, so only the selected roles from each user's business unit will be assigned." In essence, this means that if I bulk edit roles, I will need to select 184 roles, one instance of the Customer Service Rep role for each business unit.
This seems remarkably stupid, since there is in fact only one Customer Service Rep role that to my knowledge behaves identically across all 184 business units. I am looking for insight into why the bulk role editing behaves this way, as well as a solution for assigning all of my business units the desired role.
Thanks!
In real-world enterprise web applications for enterprise businesses, we always need to limit the access to the data by the user's unit and role.
Consider that we have an enterprise company with many shopping stores in a country.
So the company has headquarter which has view access to all invoices and statistics for all branches. Each region in the country manages and plans the regional sales strategies for its own branches. Then the region's user also can see the all invoices which have been created by its branches. Each branch can create invoice, customer, and view only its data.
We can see that we have two main access control definitions:
1- Roles (which has been thought and implemeneted many years ago!): we can easily implement using RoleProvider and controlling the access control in UI level (web.config and sitemap.config)
2- Units and its relation with roles to deny/grant the user access to update/view data.
I have implemented a custom principal in ASP.NET to get the user's unit and roles, but I think there should be a classic solution...
Check these out:
http://netsqlazman.codeplex.com/discussions/352107
http://lostechies.com/derickbailey/2011/05/24/dont-do-role-based-authorization-checks-do-activity-based-checks/
Here is MY explanation.
http://granadacoder.wordpress.com/2010/12/01/rant-hard-coded-security-roles/
............
The MembershipProvider is based on ROLES,....and that is for your kid's soccer club...NOT a professional DotNet application.
There is a "middle ground" workaround.
http://www.lhotka.net/weblog/CommentView,guid,9efcafc7-68a2-4f8f-bc64-66174453adfd.aspx
Basically. Use the MembershipProvider......but treat the word/phrase "Role" as "Right". (In your mind..you cannot change the names of objects in MS code of course)
Rocky's NUTSHELL ( from url above)
bool result = currentPrincipal.IsInRole(requiredPermission);
I want to create a website with various users. The users can have different roles, admin and user, which is a very well documented situation. But I would like to also group the users on their location, so at each location I can have both admins and users. - A multi dimensional role system?
The reason is, that users in Germany should have access to a certain set of documents, while the Italian users shouldn't.
Where should I look for documentation on this specific topic? I need some way to limit my search, maybe some keywords.
A different approach would be to add another set of roles, corresponding with the different locations available, for example Germany and Italy. You then make all German users members of the Germany role, and the German admins members of both Germany and Admin. When checking permissions, you then check both for Admin and for the current locale.
Remember, one user can have many roles.
First of all, please see the very excellent tutorial series on 4GuysFromRolla: https://web.archive.org/web/20210513220018/http://aspnet.4guysfromrolla.com/articles/120705-1.aspx
Secondly, the built in Role Provider is extremely rudimentary. You associate a user with a string (role) and that's pretty much it. There's no heirarchy or additional properties that you associate with the role, unless you pack in into the string (role name).
You might want to look at custom profile properties. MSDN