Need to implement Application Role Management feature..
Looked at AZMan , I guess it is bit of a over kill for my application.
Thinking of using XML input , that has multiple hirarchay defining Roles. Given that some roles can participate (like Administrator) in all other (sub) roles.
Any recomondation highly appreciated
If I'm understanding the question correctly, you just need a role implementation that handles hierarchical roles.
One approach might be to implement a custom RoleProvider
If you had your role database setup something like (could also be a hierarchical XML file)
ID Role ParentRoleID
1 Admin null
2 SubAdmin1 1
3 SubAdmin2 1
You could code your custom role provider such that if a user is explicitly assigned the admin role, they are "behind the scenes" given the admin role plus any sub roles. In this example, for a user explicitly assigned the "Admin" role, the GetRolesForUser method would return "Admin, SubAdmin1, SubAdmin2". In this way a call from your code to Roles.IsUserInRole("SubAdmin2") would return true for a user who was only explicitly assigned the "Admin" role.
HTH
Related
I'm trying to solve the following problems:
The user can have just one role at time.
He can change his current role inside application, without need to logout. For example, he wants to change from "Admin" to "Annalist".
I'm using this example as my authorization approach.
In there I can set multiple roles to user, but once he is logged, he has all roles at same time.
Here is the way I handled this:
The user has only one "main" role.
The user has a list of other possible roles.
When logged in, only main role is active in the claims.
When switching role, another token is created for the user.
I m using Angularjs project and using Asp.net identity custom storage provider with Enterprise library for token authentication.
Implemented custom userstore to create an account.
[Authorize] attribute works well after logged in. i want to restrict the method for particular user.
So tried to implement [Authorize(Roles="Admin,User")].
Here one user can have two roles in practical. But as per the system, when user login, we restrict the user to select the particular role.
So, after validated by asp.net identity, user should select any one of the role.
Here my need is,
I want to maintain the role which he selected (we consider this concept like impersonate user, but not exactly).
Or,
Need to implement in the Authorize attribute itself.
I've seen some of the examples like we can add claim to identity.
But I can add custom claims only inside the method,
GenerateUserIdentityAsync
in my case I need to add claim after log in validated. I've gone through some example and implemented like following.
ClaimsIdentity identity = new ClaimsIdentity(DefaultAuthenticationTypes.ApplicationCookie);
identity.AddClaim(new Claim(ClaimTypes.Role, "Test"));
After added claim, when I try to get the claim to check the logged in user role,
List<Claim> claim = claims.Where(c => c.Type == ClaimTypes.Role).ToList();
I didn't get the Role "Test".
Here my bad luck is, in claims, I've all the roles of the user except role = test
How to authorize the user role or maintain logged in here..
I see at least three solutions for your problem:
Use a claim transformation to filter the role claims, to match a role the user choose. You can use a claim transformation middleware or you can filter the claims during login (be aware, that you do not know the user roles BEFORE login, and afterwards filtering might be too late). PRO Does not necessarily need session state; CON User can not choose during runtime.
Store the role in the session and authenticate against that role. Make sure, that you check against the role claims, when the user chooses his role. PRO User might change role without re-sign-in. CON Needs session state (Might be an issue in farm environments).
Don't do it at all and I'm totally serious about that. Provide your user a clean interface, that makes him know, what role he has and use areas and other technics to separate the concerns.
My ASP.NET application allows users to login and access certain information from the website. These users are basically belonging to multiple roles e.g: I have roles like "Administrators", "Power Users" and "Guests". The users are allowed to modify or view data on the .aspx page as per their roles. I read through about Role Management in ASP.NET on MSN. What I could figure out is that the pages related to each role are sorted into a separate folder, i.e I need to have sub folders like "Administrators", "Power Users" and "Guests". So when a user logs in he is redirected to the pages in the role he belongs to. Am I right?
Here the drawback is that if I need to make some changes to the Administrator folder, I will as well need to make the same changes to other folders.
This would make it very cumbersome and difficult to track sometimes. Is there some other way we can do this?
Thanks & Regards,
Sarin Gopalan
Well you can manage it by separating user specific functionality into specific controller i.e. AdminController, UserController.
You can extract out functions that are not user specific into a common controller and access directly from there.
Additionally Authorize attribute can be applied on controller or even on method. It will allow you to have a fine grained control over who can access a method in a controller.
[Authorize(Roles = "ADMIN, Sales Admin")]
Is there a preferred way of doing fine grained access that can be modified during runtime?
ASP.net membership doesn't seem to support this. I thought of creating constant invisible subroles so that there would be a set of hidden roles like "_CanEditContent" and "_CanDeleteOthersContent". The check would be [Authorize(Roles = SubRoles.CanEditUser)] which would check that the user is in a role that has _CanEditUser role. The problem there is of how to assign roles to other roles so that when we create a new role like "UserAdmin" how could we assign "_CanEditUser" role to that new role? That seems impossible.
What I need to do is to be able to create roles during runtime and add custom permissions for new or existing roles I would do the checks with something like [Authorize] and custom checks for AJAX methods. How would I achieve this?
Indeed, asp.net membership does not support this. You'll have to rollout your own mechanism with your own authorization attributes, which will use information about user (or role) permissions.
You can use asp.net membership for role management, and then assign permissions to roles whichever way you want, for example, database.
I'm building an web application that I want users to have specific permissions to perform a specific action. I don't want to use the default permission and role providers in ASP.NET.
I was thinking of having each User associated with a Role. Each Role is mapped to a set of Permissions (CreatePost, ReadPost, UpdatePost, DeletePost and so on).
I have a couple of questions regarding this. Would it be best to have a boolean property for each Permission on the role or some sort of bitfield? I like the idea of having methods for this but properly need to map these to the permissions stored for the role in the database.
Also, how would I implement this for each action/request? I'm thinking something along the lines of what was posted here but I'm not really sure.
Thanks!
Make your own role provider and register it in the web.config. Look at the MSDN for a sample. Once it is registered it will associate the roles you provide with the principal.
I've just done that for one of my project and it works fine.
To check whether the user has permission to execute a task you'll have to see whether the user is in the required role. In "normal" ASP.NET you will have to do this in code. In MVC you can do that with attributes on each class/method in the controller.