Role-Based Security: ACLs and Role Hierarchies

L

Liet Kynes

I'm new to the .NET security framework, and I pose the following questions:

1) According to the documentation I've read .NET is promoting a role-based
security model centered around IPrincipal. What about granular user-based
security requirements? For example: I'm building a file repository app that
allows users to upload files to the application and share them with specific
users and groups/roles. Suppose we have three roles (officer, manager, and
employee). An officer uploads a sensitive document to which only officers
are privy...with the exception of a single manager. This manager cannot
simply be moved into the officer role, since he should not be privy to all
files that officers can see. Is this a scenario that can be supported by the
..NET Security model, or will I have to "roll my own" permissioning framework
for this? It seems to me that each file would have to have its own ACL that
contained roles and users.

2) Is the concept of role hierarchies supported? Extending the example
above, officers should be able to see all files, managers see a subset(s),
and employees see a subset(s) of that. Is this supported, or do I have to
explicity call .IsInRole for every group individually?

I'd appreciate any insight or pointers to more resources.

Liet
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,969
Messages
2,570,161
Members
46,708
Latest member
SherleneF1

Latest Threads

Top