views:

39

answers:

2

I am trying to create an application that is based on module level security. The idea is we would have a user login, grab there roles, grab the pages those roles have access to then in those pages grab the modules they have access to then the functions inside the modules they have access to (list, create, edit, delete). That way in an admin screen someon could allow or deny modules and module functions to groups. Has anyone seen any sample projects like this or have ANY clue on how to implement this? I would really like to try this on a n-layer architecture, thanks ofr any advice :D

+1  A: 

Create your site with a basic membership system. Group your pages into folders and have Web.Config files in each to control access. This is all out-of-the-box functionality for the most part. The only custom code you would have to write is when creating an admin form.

As for the fine grain access, if they can't access the pages, they can't access their methods...

http://msdn.microsoft.com/en-us/library/yh26yfzy.aspx

UPDATE:

if User.IsInRole("Administrator")...

http://www.4guysfromrolla.com/articles/082703-1.2.aspx

On the same page, in the code-behind, you can check their roles programmatically and display/enable panels/modules accordingly :-)

IrishChieftain
Thanks for the info. I understand that much but I was wondering if it was possible to have an application which 2 roles have access to a page but in that page differnet modules are loaded based on role, as well as differnt functionality in the modules based on roll. Does that make sense? One page would have different modules and modules functions based on roll of user...
Jesse Johnson
@Jesse: Yes, see update. You can programmatically check roles and load your modules based on the whether the user is in this role or not. You may find a more elegant way of doing this same thing depending on your object design :-)
IrishChieftain
A: 

I would use a base class for your pages to accomplish the effect you describe. In your base class you can add all of the available methods you will need, but provide an authorization method within the base class that allows methods to identify themselves based on the roles they're allowed to have. All of this could be configured with the web.config if you plan it down. A lot of times the "folder" based method for SQL membership just isn't robust enough.

I suppose as an example, you could build your own (or find one in the System.Security namespace) security enumeration to define access levels and then map access levels from your groups in AD (or wherever) to the enumerations. The methods could then use the security enumeration against your user object to determine if the user's access allows the function.

Joel Etherton