Hi guys I use DDD and clean arch.
I have customer domain as root aggregate and have role for an other domain model as parent of root aggregate, i want to access role in application layer, can i use directly role domain or i have to use customer domain for access it?
Related
I have a layered application of invoices management, the presentation layer is a asp.net mvc 4 project,i use entity framework for database access. the invoices are stored in oracle database. and i want to apply LDAP authentication on that application,i haven't any idea, i want from you to guide me ,please, to implement an authorization so that:
the user that have role admin can view/ create/ edit/delete all
invoices.
and the other authenticated users, every one, can only view /create
/edit/ delete the invoices that belong of its Department or
subordinated Departments of its Department.
any help? i would appreciate that.
My application is .NET 4.7 Web Api with Entity Framework 6.
This is for a software as a service tool I am building. In my application there is a many to many relationship between AspNetUser and Company.
A user can have many companies, and a company can have many users. A user needs to have a different role / set of permissions based on what company it wants to work with. What is the best way to implement something like this?
I have thought about adding a CompanyId column to the AspNetUserRoles table, so a user would have a different role for different companies it is related with. I'm not sure this is a very good implementation, and it might break how authorization works so I don't want to touch it until I have a clearer understanding of how things work.
So far I have found this guide on resource-based authorization for multi-tenant applications. It seems to be what I'm looking for but it is for .NET Core, and I'm not sure if it works for .NET 4.7.
I haven't been able to find something similar for .NET 4.7 so I am reaching out to the stack overflow community.
If you are building it from scratch I recommend to switch to ASP.NET Core and leverage of resource-based authorization.
I will recommend to reconsider sharing database between tenants. It is not exactly great idea for SaaS applications. Unless you need to save some money and you are willing to add complexity to your code. You can read Multi-tenant SaaS database tenancy patterns.
If you want to stick with what you have I can only recommend to introduce new class Employee that will have relationship with AspNetUser and Company. That is how you manage to have single user that can be tight to many companies, but on the other side Company will have only collection of Employees.
According to roles you can do something similar to User-Employee-Company relationship. As user roles needs to be managed by application owner(you), because you are setting authorization attributes on controllers and actions you only let Company admins to pick roles you defined to CompanyRole class. Company can have many CompanyRole with many AspNetUSerRole.
Example:
You set roles SuperAdmin[someone who has absolute control over the app and data](probably you and maybe some of your fellow workers), CompanyAdmin[someone who has absolute control over the company](probably person who created the company in your app), EmployeeAdmin[someone who has granted the access to manage employees within the company](probably person from company's HR department), EmployeeReader[someone who has granted the access to read-only employees within the company](probably anyone can read info about other employees), etc. Depends on your needs and how granular your authorization permissions are or you would like to have.
Next, you let CompanyAdmin to create set of CompanyRole entries tight to his company with relationship to your roles. For example CompanyRole will be HumanResourcesAdmin and have relationship to your role EmployeeAdmin.
Next, CompanyAdmin needs to create new Employee and say this employee has those CompanyRoles. You need to pair Employee with your account(if not exists he needs to register). This can be done with invitation links over email you send after employee is created or CompanyAdmin clicks button Invite User.
Next, after user register/login you need to take care of which company he wants to be signed in and based on it you can easily add correct roles to his identity.
Is it clear?
I have a MVC5 application, which uses the n-layer pattern.
On my website I have a search engine which allows the user to search for companies matching the query string.
The list of retreived companies is filtered depending on the role of the user.
What is the best way to manage this in data access? I mean how can I get the user role in my data access? Do you think that is a bad idea to reference the current user in the data access layer?
Thanks in advance.
I am new to ASP.NET and I am working on ASP.NET Web Site Application in which i have some Internal (OR Domain specific) Roles. Like, BoardOfDirectors, Managers, Secretary belonging to Employee class and ShareHolder another Role, another one as Company Administrator/Creator/Owner etc. All these Roles are internal (OR domain/business model) specific Roles which delimit the business functions a specific Role/Actor can perform.
One of my colleagues told me to do R&D on ASP.NET Forms-Based Authenticatoin, Authorization and MEmbership class etc. With this i initally got an idea that probably ASP.NET provides a ready-made Role Management Module that can be customized to any domain specific needs (just as we see in ready-made CMS Systems)
But, After some googling, i reallized that Form-Based Authentication limits the Roles on use of Web Resources specificlaly Pages. This leads me to idea that Internal (OR Domain Specific) Role Management is not related to ASP.NET Form-Based Authentication. Instead Form-Based Authentication (as it restricts access to pages in website) can be used to manage External Roles of the website like Web Site Adminsitrator (Having a different website folder/file structure which should be accessed merely by a Role specified in database like Site Admin or so. Similarly, Form-Based Authentication can be used to discriminate between a Site Member and Free User/Visitor.
For my internal/Domain specific Roles, I really do not see any reason to create multiple pages in different Role-Based folders with duplicate OR overlapping functionality like A Company Creator will be able to do business functions that manager can do, so i would not like to create two separate folders/files; one for Company Creator and other for Manager with Manager page duplicating some of functionality from Company Creator. I feel that it would be appropriate to handle Domain Roles using Business Logic (in my Domain Model Layer).
I need your suggestion if i am wrong in my understanding/assumption, OR if i am missing something?
Regards
Do not mix up Authentication and Authorization.
Authentication in your case is going to be done by using Forms-based Authentication, and Authorization is going to be based on User Roles.
Authentication would ensure that the system recognizes the User. Authorization would ensure that whether or not that user is allowed to perform certain actions or functionality.
I am developing a web site which will be used to enter, edit and check survey status. The client can log into this web site to his dashboard from which he can view survey status, enter new survey, edit a survey, etc.
Now I want to put each survey in a separate database which will be named as "surveyName"+SurveyDB. Since each Organization will have multiple users logging into the website I have decided to create a separate Database for the users which will contain the following:
Users table
Organizations table
OrganizationSurveyMapping Table
The Organization table will have the organization info in it. The users table will have user info and the organization that user belongs to. The OrganizationSurveyMapping table is a Many-to-Many table that maps each organization to its surveys, the name of the survey is the name of database in which the survey resides. This name will be used to make a connection to the database.
My question is: Am I doing it right? Is it OK to have each survey in separate Database? Is there a better way?
Having separate Database? I don't think its a good approach. Wondering if there are 1000s of surveys, there will be thousands of DB's.
Possible solution:
1. Multiple tables : "surveyName"+User (still I don't think it would be a good approach)
2. Referential data (this is the best approach I can think, you just need to normalize nicely)
Also it doesn't make much sense "having each survey in a separate mdf file means it is isolated from other surveys."
If above is the case then How CMS works? in CMS like Kentico etc we can create multiple sites, that means they will create new DB? They don't. It's all about referential data integrity.