ASP.Net security using Operations Based Security

Question

All the security stuff I have worked with in the past in ASP.Net for the most part has been role based. This is easy enough to implement and ASP.Net is geared for this type of security model. However, I am looking for something a little more fine grained than simple role based security.

Essentially I want to be able to write code like this:

if(SecurityService.CanPerformOperation("SomeUpdateOperation")){
    // perform some update logic here
}

I would also need row level security access like this:

if(SecurityService.CanPerformOperation("SomeViewOperation", SomeEntityIdentifier)){
   // Allow user to see specific data
}

Again, fine grained access control. Is there anything like this already built? Some framework that I can drop into ASP.Net and start using, or am I going to have to build this myself?

Answer 1

Have you looked at Authorization Manager (AzMan)? http://msdn.microsoft.com/en-us/library/bb897401.aspx

It was included with Server 2003 and has had a few updates in server 2008, and comes with an MMC admin tool.

You can store you data in an xml file or AD/ADAM partition using server the 2003 version, and in server 2008 they added SQL support.

This tool lets you link your security objects together in a hierarchical structure of roles, tasks & operations.

You can use this as a role based provider in Asp.net but they also include .net classes so you can access the authorization store contents directly.

Answer 2

I think you might be looking for Declarative security. Declarative security allows you to well, 'Declare' who can access what as attributes on the code here is a page on Role Based security also on MSDN. Here is an example:

[PrincipalPermissionAttribute(SecurityAction.Demand, Role="admins")]
public class foo
{
    [PrincipalPermissionAttribute(SecurityAction.Demand, Role="Domain Admins")]
    public void bar()
    {
      ....
    }
}