tags:

views:

50

answers:

3
+1  Q: 

How to design a system to filter requests on roles?

I have requirement to design a WCF Service based system to filter requests on roles in C#

Rules
    User can access X
    SuperUser can access Y
    Admin can access Z

    Database
    Resource AccessControl
    X        User,SuperUser,Admin
    Y        Admin
    Z        Admin

How do I create a system where I can transform these accesscontrols into something like a hash or a calculated mathematical value so that I don't have do multiple checks like

If(user = RequestUser.Role.User||user = RequestUser.Role.Admin)
{}

Instead do something like this

 Resource AccessControl               someCalculatedHashValue
    X        User,SuperUser,Admin     ????
    Y        Admin                    ????
    Z        Admin                    ????

if(user >= someCalculatedHashValue){}

Note: there could be one to many relationshps

A: 

Can't you use a Bit Vector for your roles (i.e. a Flags enumeration)?

That way you can simply add up the bits as your "hash".

Oded  2009-12-22 16:29:29
A: 

You could create a custom implementation of IPrincipal that implements IsInRole by wrapping the ranking logic you describe.

Now that I look closer at your question, it sounds awfully much like ACL-based security, and not role-based security at all. You may want to take a look at this instead.

Mark Seemann  2009-12-22 16:31:28
A: 

You failed to provide details about the system. Depending on the technology used there are already proven and well-known techniques to manage just that (WCF for example gives you this for "free").

The samples are probably not complete either, because the way you presented it

User, SuperUser, Admin
Admin
Admin

this could be handled with a simple enum and an int comparison and an enumeration like this:

public enum Role {
  Anonymous,
  User,
  SuperUser,
  Admin
}

if (user >= (int)Role.User) ...

But that's probably far too simple and doesn't cover your real need? In short: Can you elaborate?

Benjamin Podszun  2009-12-22 16:31:32
Assume this is done in WCF, what's available out of the box for this?
Nevin Mathai  2009-12-22 16:41:41
WCF allows you, depending on your design, to do the authorization in a declarative way (No if statements). If you want/need to do it in Code it supports you as well, but you end up with the same issue, having to map roles to operations.So - at that point you're back to your "if mess" or back at the beginning. You could either look at the enum or explore if it is possible to extract the logic into an extension method or something similar, that does the mapping between access right and role/user.
Benjamin Podszun  2009-12-22 20:35:41

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?