ASP.NET User privileges

Question

Hi,

I have created an ASP.NET MVC-application with entity framwork. Due to customer demands I will have to implement a privilege hierachy where different users should have/shouldnt have rights to list/view/edit different kind of objects. And in some cases we need to go even deeper to restrict users from editing a certain property on an object.

I have created a few roles, but they are more generic like a "SystemAdmin"-role, a "CustomerAdmin"-role e t c

To make theese more narrow privileges, is roles the day to go or is there something else I can use or should I create some kind of privileges on my own in the database?

Thans in advance.

Answer 1

If you use the horribly named Authorization Manager / AzMan and the AzMan role provider, you can have extremely flexible roles (with nesting) and a simple tie-in to ASP.NET roles.

Answer 2

What I would do, if I were you, is implement the Specification pattern. Here's the basics of the Specification pattern:

public interface ISpecification<T>
{
    bool IsSatisfiedBy(T entity);
}

Once you do that, I would implement an ISpecification<IPrincipal> to specify the logic of each role. Then you might create an Attribute that takes the specification that would control authorization for a certain action. Here's an example of how that might look:

public class AuthorizeWith : AuthorizeAttribute
{
    public AuthorizeWith(Type specificationType)
    {
        Specification = Activator.CreateInstance(specificationType)
                             as ISpecification<IPrincipal>;
    }

    public ISpecification<IPrincipal> Specification { get; set; }

    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        return base.AuthorizeCore(httpContext) &&
                Specification.IsSatisfiedBy(httpContext.User);
    }
}

Hope that helps.