asp.net arbitrary user info - asp.net

If I am using asp.net's built-in membership provider, then how can I store arbitrary user-info while using CreateUserWizard control?
Suppose I have three types of users in my application: Student, Teacher and Staff. I want to store a flag for every user to distinguish their types while creating a user through CreateUserWizard - control.
How to do that?

Short answer: use Profile.

Use a user profile to store user information. It looks as though you are creating a role based on the person logging in in this case. If this is true perhaps using / setting a role is the better approach on this.

You should probably have a look at this long series on the Asp.Net Membership, Roles, and Profiles. It should have more then enough information to get you what you are trying to do.
Part 6 specifically covers the Profile portion.
https://web.archive.org/web/20210513220018/http://aspnet.4guysfromrolla.com/articles/120705-1.aspx

I agree with #klabranche, using roles is the perfect solution for "types of users" (Student, Teacher and Staff).
I haven't done it with CreateUserWizard, but it should be pretty straightforward: How to Add Users to Roles Using the CreateUserWizard.

Related

Group claims in roles ASP.Net Identity

I'd like to make a system with granular permissions so
Is there a way to make groups of claims and assign them to a role so when a user gets a role it gets all the claims?
Is it possible to create groups of claims or am I misunderstanding something?
I'm failling to find the purpose of claims.
This could be done using groups with various roles and the roles are gonna be the permissions, right? This is the way I should do it? Since roles per se are claims.
Following steps can solve your problem
Create granular level of roles...typically for each action
Group them up into GroupRoles...so that admin can easily manage it
Add individual level claims to user for specific permission
Some good examples of the same are below
http://www.3pillarglobal.com/insights/granular-level-user-and-role-management-using-asp-net-identity
http://bitoftech.net/2015/03/11/asp-net-identity-2-1-roles-based-authorization-authentication-asp-net-web-api/
Hope this solves your problem

Best Practices in User Privileges/Session Variables in MVC3

Hi Stack Community Members,
I am developing an application under MVC3 where users have department-specific CRUD privileges. In other words, all users can view data for all departments, but only certain users can make changes to the data for any one given department. User-department privilege data is held in a join table in a database.
What I typically do in this kind of situation (in PHP) is to create a Session variable (an array) on login which is populated with the id's of the departments which the user is allowed to edit. When a user then goes to access the editing feature a drop-down list is populated with only these specific departments. I also populate a few other session variables which are used frequently like the user's name and the id of the current time period (business quarter).
Is this type of approach a good way to go in MVC3, or is some alternative approach better? While I figure that I'm going to use Forms Authentication and some specific roles (employee, admin, etc.) these types of roles are just too broad to be able to target department-by-department access, and I'm not sure that MVC3 has an out-of-the-box method which is better than what I'm planning to do.
Your guidance is appreciated!
I'm using Forms Authentication, add specific roles, and combine them if needed. I don't mind being specific for the roles, as they can be combined anyway I want. I can still have broad roles for more general actions.
I store similar data (UserId, DepartmentId, etc) in session since it does not change for the user and it is a small amount of data. It is my opinion that session state would be a good approach for you also.

ASP.Net membership provider

I have a couple of questions regarding Membership Provider. My textbook got me started but I still need more information.
I am using Linq to Entities, does it make sense to also create LINQ entity relationships with my membership provider DB?
I would like to add additional user attributes other than provided in the membership provider. Can I add them to the aspnet.USER table without any issues?
My users will join the website and will gain privildges as they participate, much like Stack Overflow. I want to keep track of their postings by adding a field to the user table to manage that function.
Thanks in advance!
There are two ways to associate additional information with user accounts when using the Membership model. The first - which affords the greatest flexibility, but requires the most upfront effort - is to create a custom data store for this information. If you are using the SqlMembershipProvider, this would mean creating an additional database table that had as a primary key the UserId value from the aspnet_Users table and columns for each of the additional user properties. In the online messageboard example, the table might be called forums_UserProfile and have columns like UserId (a primary key and a foreign key back to aspnet_Users.UserId), HomepageUrl, Signature, and IMAddress.
Rather than using custom data stores, the ASP.NET Profile system can
be used to store user-specific information. The Profile system allows
the page developer to define the properties she wants to associate
with each user. Once defined, the developer can programmatically read
from and assign values to these properties. The Profile system
accesses or writes the property values to a backing store as needed.
Like Membership and Roles, the Profile system is based on the provider
model, and the particular Profile provider is responsible for
serializing and deserializing the property values to some data store.
The .NET Framework ships with a SqlProfileProvider class by default,
which uses a SQL Server database table (aspnet_Profile) as its backing
store.
Examining ASP.NET's Membership, Roles, and Profile - Part 6
By Scott Mitchell
This should get you started. I guess I could answer your questions as follow:
It shouldn't be necessary. Explore the membership API, everything you ever wanted is... probably in there.
Read the article and decide what's best.
Good luck, :).
Sincerely,
Maxime

ASP.NET Membership - A design for tracking additional information

I'm working on an ASP.NET4.0/C# application for a public site that needs to authenticate only the employees that work at the associated business. The idea is for the site to have a CMS such that employees can go in and make changes to certain content without having to work with any html.
My question relates to the design and use of a ASP.NET membership provider. I'm not trying to make the site work with an existing database, so there's no need to create my own MembershipProvider for that purpose. However, since each user is an employee, I want to track additional information such as name and office number. I can think of two readily apparent ways to accomplish this:
Use the default SqlMembershipProvider class. As a result, I would need to add the appropriate tables to my database and create a separate table for any "additional" information I want to store. This effectively creates a vertical partition on the user table, since I would use the asp.net-assigned userID as the primary key of the employee table as well. To retrieve the "additional" information, I could ask the provider for information about the current user and requery the database in the event I want to know anything else.
Create one table for all employee information (including login and password) and create my own custom MembershipProvider and MembershipUser classes with the functionality I desire.
I've also considered the use of profiles to store such information, however, the site will publicly contain employee listings, and these pages will need to access some of this information. As a result, I should probably cache this data and it seems like using the serialized fields that profiles provide would cause a problem.
Thus, purely in regards to design... would it be best to make a distinction between a user and an employee and use the default SqlMembershipProvider and associated tables, or write my own user tables that store the information I need and my own MembershipProvider for accessing that information?
If I understand your question correctly, you'd like to store additional user info within the ASP.NET Membership. I've created a number of sites using the following setup.
Install the default .NET Membership using the aspnet_regsql.exe tool
Create a UserProfile table with a uniqueidentifier (PK) UserID column that is linked via a foreign key to the aspnet_Users table
To access that information, all you need is the UserId of a particular User, then you can query your custom table for more information.
Microsoft has written an excellent post on how to do this.
Good luck!
M
I am doing something similar, using your option 1. Works great for me.
My business logic has some functions for mutating users. It knows when to touch my users table or the Membership functionality.
Using a custom MembershipProvider for this sort of thing will give you more work than you bargained for.
SQL Table profile provider (http://weblogs.asp.net/scottgu/archive/2006/01/10/435038.aspx ) will help you do just that.
You will get the power of the Profiles and on the same time not worry about caching or serialization since this provider stores the profile information in clear database table without any serialization. You can use them directly in your queries.

Best way to ensure page-level security

I wish to ensure a user has access to an aspx page by 'Zone'. For example, "Financials" is a Security Zone which some users should not have access to.
The result should not involve patterns such as MVP, MVC, MVVM, etc. I'm looking for something that's light and quick to do.
To make things easier I have a base class which each aspx page derives from. What is the easiest/best way to have each page to be checked versus a security zone given the userID?
Thanks.
I've used this, whether it's the best way is seriously questionable. I have a class I derive from Page, called SecurePage. In that I usually have a cross table in a database that lists objects, such as the page, and groups/users that have access to that page. Running a stored procedure using the UserID and the Object name (Page name in this case, but can be a field, or whatever) it returns whether that user or a group that the user belongs in has access. You can check this during the page init, and if it doesn't match up, then response.redirect them or whatever you want to do.
You basically need to create a little ACL implementation. (Access Control List).
Create a acl_roles table, with all your roles (Admin, Accountant, whatever, guest) and stuff. Then link the id of it with your user table, so each user has a role_id.
Then define a acl_resources table, where you add the "zones" in your app and the minimum role they have to be to access it.
Then at the start of each script simply do check if the current user has enough privileges to be in that zone.
There are more details into this, but that is the basic idea.
Yeah, use forms or Windows authentication. You can easily lock down different parts of your site based on the authenticated user's role. Look into using locations.
Why not just use the security features such as forms authentication built into .NET? It's very easy.

Resources