Is it better to extend my business database with the tables of the ASP.NET Membership Security model. Or should I have a different datastore where I only manage Identities and Roles... Basically 1 or 2 databases?
This can depend on scale. If it's an enterprise solution with different apps sharing one membership source the answer is simple - separate them. There might also be performance reasons why you would want to separate this data from the rest of the app. Arguably these tables do not belong in a data warehouse for example.
The only thing the 2 databases solution doesn't give you is referential integrity. If you extend your membership tables to hold more application specific details about the user, and these tables need to link into the main database then you might want to keep them together. Otherwise you would need some sort of replication job maintaining this for you.
This is quite subjective, but unless those users are going to be using more than one database, then I'd say keep them in the same db.
I would only use a separate database for users and roles if those users and roles were used in more than one database.
So no, I'd never use two. I might however use three.
Which database platform are you using? If one that supports schemas within a database, e.g. SQL Server 2008, then you can put your membership tables into their own schema, for neatness. You can also add cross-schema foreign keys if required.
Related
In a multi-tenant system where we have multiple customers. Each of those customers will have multiple users. What's the best way to ensure users from customer1 can never access data that belongs to customer2. We do have customer_id in all of our tables. I came across fine-grained access control but not sure if it could be used for this use-case. If not, what are my options? What are the best-practices to ensure security here?
Here is a relevant reference to your use case, please see the dynamodb:LeadingKeys. Assuming you are doing CRUD operations against tables that has customer as hash key and users as range keys.
I am planning to make a software (ASP.NET 4.6.1 MVC with Entity Framework), which does a lot of reading from DB. Therefor I have one database, which contains all global information, projects etc. and now I am thinking to either bring all the content into the same DB but in different tables or to create a DB for each bigger group.
Now as there is a lot of reading going on, is it bad practise to have the connection information in the main db and then to connect to a different DB? Otherwise I would have the project information in the primary database and the content in a different table on the same DB.
Are there any notable delays to connect to a different DB to retrive the information?
If it's all your data, for your application, it should all go in the same database. Definitely use different tables. You should read up on entity design and normalization... and if you really need to do that, you may already be in over your head.
I'm currently developing an app where the users are first asked to create an account trough a website (ASP.NET) to use the app. For a special reason I need to automatically generate a database for each customer creating an account, on the hosted SQL Server. The databases for all the customers are the same.
I was thinking about doing like that: as I have the script for creating the database, I was thinking to insert it in stored procedure or a trigger that will be launched as soon as the user has fully created his account.
I don't really see other solutions, maybe somebody could give me some guidelines? Thanks in advance.
I think such a design has been shown to not scale. I'd recommend redesigning the schema to allow multiple customers in a single database.
Amazon does not such thing. Neither should you.
I agree duffymo on you would have scalability issues.
However there are situations where in you might prefer separate database as your multi-tenant data approach.
In my last project I had to adopt separate DB approach as business wanted complete isolation for each customer. It was a school administrative system and number of customer was not expected to grow in more than three digits in 5-10 years time.
So the solution I designed was, I used Entity Framework code first approach. Every school will have a unique school identifier which will be used to name the database uniquely for each school. The connection string was generated at runtime obviously. A connection factory was used to create the appropriate DataContext based on passed school identifier. The database is created on first usage if not exist. At the same time SQL script was executed to create db users during db creation if not exist.
If this approach sounds appealing I can share code snippet if that helps.
Is there any reason why I shouldn't add contact and extended data to the users database with a custom membership provider?
What is the advantage of keeping separate one-to-one tables for user data and membership data? As I understand it, the common method is to keep separate tables. I'm thinking it would be better to have one table for users to keep SQL statements simple and custom code the membership provider.
The idea behind Membership is that it provides a plug-and-play generic membership solution. Say you want to switch from Sql to ActiveDirctory, you need only change the membership provider and everything works.
So long as you are creating a custom provider, you can do whatever you want. But, in order to get your extra data into the membership tables, you will have do so outside of the membership interface (because the API does not include fields for them). That means, you are essentially throwing away the Membership API.
My advice is to either a) use Membership as it was intended, or b) go off and do your own thing completely. Don't try to shoehorn Membership into something it's not intended for.
But, writing your own is a lot more involved than you might at first think, at least if you want to e be secure and cover all your bases.
The advantage is separation of concerns. By keeping them in separate tables, you're in a situation where the membership data store could be swapped out or modified in isolation. However, before getting too excited about the "flexibility" consider the realistic lifespan of your application. Weigh the likelihood of needing to change things in the future vs the upfront cost of implementing a custom provider.
When I've implemented custom membership providers, more often then not I've found myself at one point actually wishing I had just rolled a completely custom authentication mechanism. Once you've implemented the provider interface, you don't necessarily gain a whole lot by "plugging into" the rest of the provider infrastructure. For simple apps, I'd usually just recommend doing the simplest, easiest thing that works. If you haven't build many authentication systems, you might find the process of implementing a custom provider educational.
Our requirement is something like this.
We are building a multi-tenant website in ASP.NET MVC, and each customer should be able to create their own users as per predefined user roles.
We are thinking about to create a schema for few tables which would be common for customers. So customer can login to system according to their schema logins and we need not to alter any queries to serve all of them.
We are referring http://msdn.microsoft.com/en-us/library/aa479086.aspx Shared Database, Separate Schemas.
Can someone suggest on following
1. After creating schema how to authorize user against a particular schema
2. Is this possible that without any changes in queries db can serve multi-tenants
Thanks in advance
Anil
After much research, I can say that, although it takes more development up front and more checks along the way, shared database and shared schema is the way to go. It puts a little bit of limits on how easily you can cater to a client's specific needs, but from my point of view SAAS isn't about catering to a single client's weird needs. It's about catering to the majority of clients. Not that it's a SAAS but take iPhone as an example. It was built to cater to the masses. Rather than focusing on doing everything it's built to be one-size fits all just by its simplicity. This doesn't help your case when it comes to authoriztion but it'll save you dev hours in the long run.
If you are asking this in the context of SQL Server authentication/authorization mechanism, i can asnwer this question with saying that every user has a default schema which helps query engine to find out required object in the database.
SQL Query Engine will look at the user's default schema first to find the required object (table). If it founds the object in user's schema then use it, otherwise goes to system default schema (dbo) to find it.
Check this article's How to Refer to Objects section to find out how it works. The article also has some information about security concepts related to schemas.