EDIT - Rewrote my original question to give a bit more information
Background info
At my work I'm working on a ASP.Net web application for our customers. In our implementation we use technologies like Forms authentication with MembershipProviders and RoleProviders. All went well until I ran into some difficulties with configuring the roles, because the roles aren't system-wide, but related to the customer accounts and projects.
I can't name our exact setup/formula, because I think our company wouldn't approve that...
What's a customer / project?
Our company provides management information for our customers on a yearly (or other interval) basis.
In our systems a customer/contract consists of:
- one Account: information about the Company
- per Account, one or more Products: the bundle of management information we'll provide
- per Product, one or more Measurements: a period of time, in which we gather and report the data
Extranet site setup
Eventually we want all customers to be able to access their management information with our online system. The extranet consists of two sites:
- Company site: provides an overview of Account information and the Products
- Measurement site: after selecting a Measurement, detailed information on that period of time
The measurement site is the most interesting part of the extranet. We will create submodules for new overviews, reports, managing and maintaining resources that are important for the research.
Our Visual Studio solution consists of a number of projects. One web application named Portal for the basis. The sites and modules are virtual directories within that application (makes it easier to share MasterPages among things).
What kind of roles?
The following users (read: roles) will be using the system:
- Admins: development users :) (not customer related, full access)
- Employees: employees of our company (not customer related, full access)
- Customer SuperUser: top level managers (full access to their account/measurement)
- Customer ContactPerson: primary contact (full access to their measurement(s))
- Customer Manager: a department manager (limited access, specific data of a measurement)
What about ASP.Net users?
The system will have many ASP.Net users, let's focus on the customer users:
- Users are not shared between Accounts
- SuperUser X automatically has access to all (and new) measurements
- User Y could be Primary contact for Measurement 1, but have no role for Measurement 2
- User Y could be Primary contact for Measurement 1, but have a Manager role for Measurement 2
- The department managers are many individual users (per Measurement), if Manager Z had a login for Measurement 1, we would like to use that login again if he participates in Measurement 2.
URL structure
These are typical urls in our application:
- http://host/login - the login screen
- http://host/project - the account/product overview screen (measurement selection)
- http://host/project/1000 - measurement (id:1000) details
- http://host/project/1000/planning - planning overview (for primary contact/superuser)
- http://host/project/1000/reports - report downloads (manager department X can only access report X)
We will also create a document url, where you can request a specific document by it's GUID. The system will have to check if the user has rights to the document. The document is related to a Measurement, the User or specific roles have specific rights to the document.
What's the problem? (finally ;))
Roles aren't enough to determine what a user is allowed to see/access/download a specific item. It's not enough to say that a certain navigation item is accessible to Managers. When the user requests Measurement 1000, we have to check that the user not only has a Manager role, but a Manager role for Measurement 1000.
Summarized:
How can we limit users to their accounts/measurements?
(remember superusers see all measurements, some managers only specific measurements)How can we apply roles at a product/measurement level? (user X could be primarycontact for measurement 1, but just a manager for measurement 2)
How can we limit manager access to the reports screen and only to their department's reports?
All with the magic of asp.net classes, perhaps with a custom roleprovider implementation.
Similar Stackoverflow question/problem
http://stackoverflow.com/questions/1367483/asp-net-how-to-manage-users-with-different-types-of-roles