tags:

views:

115

answers:

1
+1  Q: 

Non RBAC User Roles and Permissions System: checking the user's City

We are currently designing a User Roles and Permissions System in our web application (ASP.NET), and it seems that we have several cases that do no fit within the classical Role-Based Access Control (RBAC). I will post several questions, each devoted to a particular case, this being the first post.

We have the following case: not to allow a user view a certain page if the user lives in a particular city. This is a simple case that is coded in the following way:

if (User.City == “Moscow”)
// Allow the user to view the page.
else
// Do not allow the user to view this page.

Though this case is very simple and straightforward, it has nothing to do with the RBAC.

On StackOverflow, someone called this an Attribute-based Access Control.

Under the classical RBAC, it seems that this case should be designed like this: introduce a permission “City where the person lives”, this permission will have a property City. Then create a role, add a permission of type “City = Moscow” to it and the assign the role to the user. Looks extremely cumbersome.

The question is whether it is acceptable to introduce such non-RBAC approaches to our permissions system – does that break the design or not?

This might seem a primitive question, but we found that most applications use pure RBAC, and we started to think that we might be doing something wrong.

Thank you.

A: 

This would be a nice case for an atribute based access control. However, if you don't mind looking at a PHP implementation, Zend Framework has a role based access control that uses assertions to solve more special cases:

http://framework.zend.com/manual/en/zend.acl.advanced.html

A standard rule would allow a role to do an action on a resource. A fourth parameter allows the rule only to apply when some condition is met. In pseudocode:

allow(member, view, page) // standard
allow(member, view, page, userLivesInMoscow) // assertion used

The assertion is an object that is passed the user. It has a method that checks whether the assertion is met:

interface Assertion
 bool public function assert()

class UserLivesIn implements Assertion
 public function UserLivesIn(User, City) ...
 // implementation of assert method comes here

This is a way of implementing what you need.

koen  2010-05-15 14:46:48
uh... if you were working in a Linux,PHP environment and had a problem and someone suggested that perhaps it would be easier to solve in an ASP.Net/C#/Windows environment, what would your impression be?
Sky Sanders  2010-05-15 22:55:57
@code poet I don't suggest solving it in another environment. I'm only pointing to an example solution in another environment that can be used as inspiration to port to the current environment. 'Looking at' != 'implementing with'.
koen  2010-05-15 23:12:16
ok, point taken. note: no downvote. But the reality of the situation is that the ASP.Net membership/roles infrastructure does not lend itself to this type of extension and consideration there of would require redesign, reimplementation of the entire security infrastructure.
Sky Sanders  2010-05-15 23:36:54

related questions

after running aspnet_regsql.exe , do I have to init the db with data? how?
Not using e-mail address in a custom MembershipProvider?
How to pass the current user to a web control declaratively
How do you rename a Role using Membership in .NET?
What encryption algorithm does the .net membership provider use?
Membership.GetUser() & MARS
Web.config editing for Membership Role Authorization
Globalization of Membership exceptions isn't taking place... What to do?
OpenId development while disconnected from Internet
programmatic login with .net membership provider
Addin extra properties to MembershipProvider
ASP.Net Providers from web server in DMZ
ASP.NET PasswordRecovery Control with Localized content
Examples of asp.net mvc and authentication
ASP.NET Membership for high security scenarios?
ASP.NET Forms Authentication With Only UserName
What to use for membership in ASP.NET
How can I wrap a transaction around Membership.CreateUser?
New site creation and security/authentication,- should I use ASP.net Membership Provider?
ASP.NET WSAT (Website Administration Tool) and Custom Membership Providers
How do you manage asp.net SQL membership roles/users in production?
How to access UserId in ASP.NET Membership without using Membership.GetUser() ?
Can I use OpenId with the ASP MembershipProvider?
How do you pass an authenticaticated session between app domains
Class design decision