We are building a multi-tenant website in ASP.NET, and we must let each customer configure their own security model. They must be able to define their own roles, and put users in those roles. What is the best way to do this?
There are tons of simple examples of page_load events that have code like:
if (!user.InGroup("Admin")
Response.Redirect("/NoAccess.aspx");
But that hard codes the groups and permissions in the code. How can I make it user configurable?
I would create a configuration system for the website that is easily managed in config-files. Where you could get typed members and use like this.
foreach(var group in ThisPageConfiguration.AcceptedRoleNames)
if (user.IsInRole(group))
...
Each customer could then configure their site in their configuration files... And every other type of things you'd want to configure.
Perhaps put the configurable roles in a DB table, where you store the roles and tenant, and then the PagePermissions in another table, for example:
Table "Role"
RoleId, TenantId, Role
Table "PagePermissions"
PageId, RoleId
Table "UserRoles"
UserId, RoleId
Then in the page load check whether the User is in a RoleId that has permissions for that page, for example:
Select PageId FROM
UserRoles UR INNER JOIN PagePermissions PP
ON UR.RoleId = PP.RoleID
WHERE UR.Userid = @UserId AND PP.PageID = @PageId
If there are no rows returned then deny the user.