views:

50

answers:

3

I have requirement to design a WCF Service based system to filter requests on roles in C#

Rules
    User can access X
    SuperUser can access Y
    Admin can access Z

    Database
    Resource AccessControl
    X        User,SuperUser,Admin
    Y        Admin
    Z        Admin

How do I create a system where I can transform these accesscontrols into something like a hash or a calculated mathematical value so that I don't have do multiple checks like

If(user = RequestUser.Role.User||user = RequestUser.Role.Admin)
{}

Instead do something like this

 Resource AccessControl               someCalculatedHashValue
    X        User,SuperUser,Admin     ????
    Y        Admin                    ????
    Z        Admin                    ????

if(user >= someCalculatedHashValue){}

Note: there could be one to many relationshps

A: 

Can't you use a Bit Vector for your roles (i.e. a Flags enumeration)?

That way you can simply add up the bits as your "hash".

Oded
A: 

You could create a custom implementation of IPrincipal that implements IsInRole by wrapping the ranking logic you describe.


Now that I look closer at your question, it sounds awfully much like ACL-based security, and not role-based security at all. You may want to take a look at this instead.

Mark Seemann
A: 

You failed to provide details about the system. Depending on the technology used there are already proven and well-known techniques to manage just that (WCF for example gives you this for "free").

The samples are probably not complete either, because the way you presented it

User, SuperUser, Admin
Admin
Admin

this could be handled with a simple enum and an int comparison and an enumeration like this:

public enum Role {
  Anonymous,
  User,
  SuperUser,
  Admin
}

if (user >= (int)Role.User) ...

But that's probably far too simple and doesn't cover your real need? In short: Can you elaborate?

Benjamin Podszun
Assume this is done in WCF, what's available out of the box for this?
Nevin Mathai
WCF allows you, depending on your design, to do the authorization in a declarative way (No if statements). If you want/need to do it in Code it supports you as well, but you end up with the same issue, having to map roles to operations.So - at that point you're back to your "if mess" or back at the beginning. You could either look at the enum or explore if it is possible to extract the logic into an extension method or something similar, that does the mapping between access right and role/user.
Benjamin Podszun