Control-level security

[carlor]

Hi there,

We are working on an application that requires security (authorization) to
be applied down to the control level. There will be certain controls on pages
that will only be available to certain groups of users as well as specific
users. For example, the sys admin will be given the ability to specify that
only those in the XYZ group have access to a specific Save button and only
Mary Quite-Contrary can access the Delete button on a certain page.

All of the security will be database driven allowing the sys admin to
add/remove groups and individuals at will. We were thinking of creating our
own set of derived controls that give us the security features we need. Also,
the authorization data would be cached to an XML file on a daily basis and
that file would be used to configure the controls’ security avoiding MANY
hits to the database. Has anyone implemented such a beast before? Any
suggestions on how to approach this would be greatly appreciated.


Thanks,

Carlo.

 

[Wouter van Vugt]

Hi Carlor,

when you say 'Controls', I am thinking you mean your own custom control
implementations. If so, I would probably try to use the IPermission
interface to implement my own custom permission. Use the
CodeAccessSecurityAttribute to apply declarative security to your
custom control class. In the Demand method of the IPermission, validate
against the database using Thread.CurrentPrincipal.

Anyone else who thinks this is a good or bad approach?

Grtz,

Wouter van Vugt
Trainer - Info Support
http://blogs.infosupport.com/wouterv

 

[carlor]

Hi,

Thanks for your reply. By "controls" I mean web controls like buttons, text
boxes, etc. We need to allow access to those controls on a role/user group
basis as well as down to a specific user basis. I will look into the
IPermission interface because I'm thinking we'll have to derive a whole new
set of controls to support this requirement.

Thanks,

Carlo.

 

[Wouter van Vugt]

Hi Carlo,

yes, when you want to guard TextBoxes and such, you'll probably best of
deriving from them. A small question, why?? Why would you want to
secure something as basic as a TextBox. You could also guard the code
where the data from the TextBox will be placed. That way, it won't
matter whether you use a TextBox or DropDownList as your editing
control.

Grtz, Wouter van Vugt

 

[carlor]

Thanks for your reply. In answer to your question, we need to be able to
control down to the control level because the client wants to dynamically be
able to specifically allow certain users access to different controls like
check boxes and buttons. eg. The sys admin for the client will get a request
to give a specific user the ability to click the delete button on page
XYZ.aspx even though she's not a member of the group that has that ability.
Don't add her to that group, just give her the ability to click that one
particular button. The sys admin must also be able to do this for any control
on any of the 80+ pages.

As far as I can tell, doing that through code would be very cumbersome
requiring a huge block of ifs or selects for each control on each page. This
would also require an application change every time a new user was given
access to a button. Of course, if I'm making this too complicated for myself
please let me know. Sometimes I can't see the forest for the trees.

Thanks,

Carlo.