ASP.NET: Permission/authentication architecture

Question

I am looking into building an authentication in my ASP.NET application with the following requirements.

• A user has exactly one Role (i.e. Admin, S

Answer 1

I think what you need to do here is implement a set of permissions query methods in either your business objects or your controller. Examples: CanRead(), CanEdit(), CanDelete()

When the page renders, it needs to query the business object and determine the users authorized capabilities and enable or disable functionality based on this information. The business object can, in turn, use Roles or additional database queries to determine the active user's permissions.

I can't think of a way to declaratively define these permissions centrally. They need to be distributed into the implementation of the functions. If you want do improve the design, however, you could use dependency injection to insert authorizers into your business objects and thus keep the implementations separate.

There's some code that uses this model in Rocky Lhotka's book. The new version isn't in Google yet.