ASP.NET Security Roles AND Permissions

Question

I\'m comfortable with the ASP.NET security model whereby one can allow/deny access to users in the web.config based on what roles they are in e.g.

Answer 1

You can use Azman as described in this MSDN article.

But there are a number of things I don't like about Azman, so I rolled my own as a complement to the RoleProvider (additional tables, APIs and admin tools that manage the mapping of permissions to roles).

My custom implementation is very simple:

• M-N relationship between roles and permissions.

• An API "HasPermission" that tests if a given principal has a given permission. This simply iterates through all roles and checks if the role has the given permission. The mapping permission-roles is cached using the ASP.NET cache for performance reasons.

Answer 2

Yes it's possible. Create the roles you want, add the users to the roles, and then just check User.IsInRole in your code where you perform the action that requires that role.

Take a look at the Roles and MemberShip classes in System.Web.Security

Answer 3

It's not there out of the box; but if you wanted to be more granular, why not have granular roles like "CanPrint", "CanDelete" rather than wider ones like "Admin"?

If they want a container type scenario as you indicate in your comments you could setup a custom IPrincipal - where, after authentication, and with each new request you look at the user's role membership ("Admin", "Public" etc.) and then override IsInRole on your IPrincipal. You can find an example here

Answer 4

You could return PERMISSIONS instead of the ROLES in your RoleProvider.

public override string[] GetRolesForUser(string username) {
   return GetGrantedPermissions(userName);
}

Then create your admin pages to add {granted/denied} permissions to roles and of course users to roles.

Answer 5

i found this article that gives a nice example

[Flags]
public enum Permissions
{
View                 = (1 << 0),
Add                  = (1 << 1),
Edit                 = (1 << 2),
Delete               = (1 << 3),
Admin                = (View | Add | Edit | Delete)
}

public ActionResult Authenticate(string username, string password)
{
var user = authenticationService.Authenticate(username, password);
Session["User"] = user;

return RedirectToAction("Somewhere", "Else");  
}

public class PermissionsAttribute : ActionFilterAttribute
{
private readonly Permissions required;

public PermissionsAttribute(Permissions required)
{
    this.required = required;
}

public override void OnActionExecuting(ActionExecutingContext filterContext)
{
    var user = filterContext.HttpContext.Session.GetUser();
    if (user == null)
    {
        //send them off to the login page
        var url = new UrlHelper(filterContext.RequestContext);
        var loginUrl = url.Content("~/Home/Login");
        filterContext.HttpContext.Response.Redirect(loginUrl, true);   
    }
    else
    {
        if (!user.HasPermissions(required))
        {
            throw new AuthenticationException("You do not have the necessary permission to perform this action");
        }
    }
}
}

[Permissions(Permissions.View)]
public ActionResult Index()
{

// ...

}