Extension of Role based security

R

Richard Cannock

Hi.

I am developing a sports based administration site where a user adminsters
sports leagues .e.g. a soccer league.

As i understand it, the current role based security is based on a user being
in one to many global roles for the whole web application.

In my application, a user may register with the site (making use of default
wizard), but then may proceed to be a admin in one league, but a simple user
(player/user) in another league or multiple roles (Admin, player) in a league.

Therefore, we have the concept of role specific leagues, and permissions.

Simply placing administration pages in a secure folder only accessible to
league admins will meet one requirement, but if a user is in the admin role
in any league, they'd be able to get in, and potentially administer another
persons league completely!

Therefore, the only thoughts i have had is to have two levels of security:

role based access to pages i.e. put leagueadmin.aspx in a secured folder,
only accessible to users in the league adminrole.

Then in leagueadmin.aspx code behind (assuming leagueid is passed into
querystring)

Extend User object and add method (IsUserInRoleForLeague("ADMIN"),LeagueId)

basically, is there a more elegant way than this?

Sorry for longish post!
 
P

PeterKellner

Richard Cannock said:
Hi.

I am developing a sports based administration site where a user adminsters
sports leagues .e.g. a soccer league.

As i understand it, the current role based security is based on a user
being
in one to many global roles for the whole web application.

In my application, a user may register with the site (making use of
default
wizard), but then may proceed to be a admin in one league, but a simple
user
(player/user) in another league or multiple roles (Admin, player) in a
league.

Therefore, we have the concept of role specific leagues, and permissions.

Simply placing administration pages in a secure folder only accessible to
league admins will meet one requirement, but if a user is in the admin
role
in any league, they'd be able to get in, and potentially administer
another
persons league completely!

Therefore, the only thoughts i have had is to have two levels of security:

role based access to pages i.e. put leagueadmin.aspx in a secured folder,
only accessible to users in the league adminrole.

Then in leagueadmin.aspx code behind (assuming leagueid is passed into
querystring)

Extend User object and add method
(IsUserInRoleForLeague("ADMIN"),LeagueId)

basically, is there a more elegant way than this?

Sorry for longish post!
Click to expand...

I understand your problem. I see why you are not happy with the
IsUserInRoleForLeague solution. I'm not sure I'm completely on board with
the suggestion I'm about to make, but here it is anyhow.

You could create a role for each league. That is:

AdminLeague1,AdminLeague2, etc. (you can create these programatically when
you add leagues). Then, have another role called SuperAdmin which has
access to all leagues.

I've done quite a bit of programming with the Membership API and it's pretty
easy. The only downside is you have to really be careful because of the
number of round trips generated to the database. I was thinking of trying
to Cache the access but Scott Guthrie warned me about the security issues I
may step in if I do that.

Just a thought.

Peter Kellner
http://peterkellner.net
 
P

PeterKellner

Hi.

I am developing a sports based administration site where a user adminsters
sports leagues .e.g. a soccer league.

As i understand it, the current role based security is based on a user being
in one to many global roles for the whole web application.

In my application, a user may register with the site (making use of default
wizard), but then may proceed to be a admin in one league, but a simple user
(player/user) in another league or multiple roles (Admin, player) in a league.

Therefore, we have the concept of role specific leagues, and permissions.

Simply placing administration pages in a secure folder only accessible to
league admins will meet one requirement, but if a user is in the admin role
in any league, they'd be able to get in, and potentially administer another
persons league completely!

Therefore, the only thoughts i have had is to have two levels of security:

role based access to pages i.e. put leagueadmin.aspx in a secured folder,
only accessible to users in the league adminrole.

Then in leagueadmin.aspx code behind (assuming leagueid is passed into
querystring)

Extend User object and add method (IsUserInRoleForLeague("ADMIN"),LeagueId)

basically, is there a more elegant way than this?

Sorry for longish post!
Click to expand...

Just curious if you came up with a solution?
Peter Kellner
http://peterkellner.net
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Role base security and RedirectUrl 3
Role based security 1
Role based security question 4
Role Provider Security Trimming Issue 1
Need role based access on a DAO 4
Role Based Security Issue 0
Role based security - where are permissions/operations ? 2
role-based security and ActiveDirectory 18

Members online

Total: 57 (members: 1, guests: 56)
Robots: 444

Forum statistics

Threads
473,995
Messages
2,570,226
Members
46,815
Latest member
treekmostly22

Latest Threads

Top