tags:

views:

281

answers:

3
+1  Q: 

ASP.NET 2.0 Security Membership Provider Pattern

Hi,

I am creating a website in ASP MVC. Can anyone give me some advice on using the built-in membership provider in the following way.

I want my users to create an Administrative account for themselves and then create accounts for the people in their organization, or the people that they want to give access to.

I guess in a Database it will look something like this:

Companies have Administrators. Administrators can give users access.

I am sure this pattern is used all over the place, I am just not sure how to implement it. Especially using the membership providers.

Thanks,

David

+1  A: 

There is nothing special in implementing this. It can be easily accomplished by built-in features of ASP.NET 2.0:

  1. Configure Web site to use membership (via web.config)
  2. Enable role management (via web.config <roles enabled="true"> tag)
  3. Add administrator accounts to Administrators role.
  4. Control access to the administrative pages by using [Authorize(Roles="Administrators")] attribute in the controller action.
  5. Require authentication on other non-admin actions ([Authorize])
Mehrdad Afshari  2009-04-06 20:06:24
This works but the difference is the concept of Being an Admin within your own Organization.
JoshBerke  2009-04-06 20:17:56
You can have arbitrary number of roles. To make them work dynamically, you can manually check role presence instead of relying on Authorize. `HttpContext.Current.User.IsInRole` might help in this case.
Mehrdad Afshari  2009-04-06 20:31:21
Thanks Mehrdad for your answer. Are you suggesting that when users sign up, I programatically put them in the administrators group and then only allow them to add users to their application through busnies logic in the controller?
David Smit  2009-04-06 22:16:08
Create one admin role per *application* and add admins to their specific roles. Then programatically allow only specific actions.
Mehrdad Afshari  2009-04-07 05:44:42
By the way, for simplicity, you can add all of them in a global Admin group and use it to authorize access to admin page.
Mehrdad Afshari  2009-04-07 05:45:41
A: 

When I did this, I used the Membership Provider for authentication however, the organization concept I created externally from the Provider. You could use the Profile Provider.

As for roles I would still use the Roles within the ASP.Net Membership Model.

JoshBerke  2009-04-06 20:21:56
A: 

You can create a role for those people and name it something like organizational-admin, though that's a bit long, you catch my drift :). And give those the power to create users with a regular user role. At least that's how i did it in one of my applications.

Ofcourse you'll keep the admin to yourself or to the person who is in charge of this particular site.

Gu's blog has a small example of how to implement the roles in an action filter.

Morph  2009-04-06 20:24:04

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps