Role based security - where are permissions/operations ?

[A Mackie]

I want to use role based security in ASP.NET, but can't see how assigning permissions/operations to a role is done. IsInRole can check a user is in a role - but how can I check a user has access to an operation that is assigned to a role ?

Operations will be fixed at design time. However assigning operations to one or more roles must be completely configurable at run time, as is assigning users to multiple roles. Roles must also be user-definable at run-time. Similar to what Windows Authorization Manager provides, where users and roles are custom definable as is assignments to operations, which can then be checked at runtime with AccessCheck.

Is similar functionality available in ASP.NET role based security, to allow granular operations assigned to user-definable roles, which can then be checked at run-time ?

Thanks,
Andy Mackie.

 

[Joe Kaplan \(MVP - ADSI\)]

You really need to use AzMan if you want a very granular mechanism for
assigning permissions to your individual operations. ASP.NET will work fine
with AzMan if you are using Windows security, so that shouldn't be a
problem.

If you can't use AzMan but want similar functionality, then you may need to
implement your own framework that does similar stuff.

Joe K.

 

[A Mackie]

You really need to use AzMan if you want a very granular mechanism for
assigning permissions to your individual operations. ASP.NET will work fine
with AzMan if you are using Windows security, so that shouldn't be a
problem.

If you can't use AzMan but want similar functionality, then you may need to
implement your own framework that does similar stuff.

AzMan has the functionality I need, but it's storage of data is a problem. Either XML file on disk - OK for development but not for production; or in Active Directory, which not all customers will have or want. If AzMan could store it's data in SQL Server, that would be ideal, but it doesn't seem to support this, so doesn't integrate well with database applications. The ASP.NET v2.0 role manager does integrate well with SQL Server, but lacks the functionality of AzMan.

It looks like granular permission checking for true role based access control (RBAC), which also integrates well with SQL Server, will need custom coding, and isn't something that appears to be addressed in ASP.NET v2.0.

Am I missing something here ? This would appear to be a very common need, so I find it hard to believe that .NET doesn't provide a solution for this, other than "code-it-yourself".

Thanks,
Andy Mackie.