ASP.Net MVC, role based security and other person-based data

Question

I have an ASP.Net MVC application and I'm using Forms authentication in SQL Server. This sets up the authentication and authorization for me. However, I have other person-based data that I need to track as well, such as the person's phone number, department, their charge-out rate, start date, etc.

WHAT the person can do (which is controlled by ASP.Net security) is related to WHO they are (which is controlled by my application).

Is there a best practice for linking ASP.Net with my application data to get a more complete person object? Can I simply extend the information in the ASP.Net tables? Is it better to keep it separate? Has anyone got any tips or links for guidance?

Answer 1

Use the built-in functionality for Profile Properties to store additional data about your users.

Answer 2

Since you are already using ASP.NET Forms Authentication the ASP.NET RoleProvider which can be integrated into MVC via the Authorize attribute is just as easy to setup.

And you get something like this:

[Authorize(IsInRole="Chef")]
public ActionResult Cook() { // snip ...

And if you did use all that, there's also the ProfileProvider for ASP.NET which generates profile code for you with full intellisense support. You can customize which fields you want and what data types it should be stored in etc. etc.

Both the Role Provider and Profile Provider can be customized or roll-your-own, there are many many articles on the internet that will tell you how.

Using the ASP.NET providers also gives you the benefits that the data is maintained automatically throughout the ASP.NET request processing pipeline, e.g. you can access this property:

HttpContext.Current.Profile

...from almost anywhere.