How to restrict users to subsets of data in ASP.Net 2.0+

Imagine an ASP.Net 2.0+ app that uses the built-in role-based security to restrict users to certain pages or actions.

Further suppose that rules exist that restrict individual users to subsets of data based on the user's attributes (however those are implemented). For example, a manager can only look at performance history for his or her own subordinates. A sales manager can only look at sales target achievement information for his or her own sales reps. A sales rep can only look at pending orders for his or her own customers.

These rules affect how dropdowns and other multi-record displays are filled, and also what values can be typed in to textboxes for search and lookup purposes. There are many other possible functions and screen types that could potentially be affected. So this is a cross-app concern.

My question: what kind of patterns or techniques would make implementing such restrictions across an application开发者_如何学编程 easier?

You could implement the repository pattern. Then when you make calls to it you pass in the current user and restrict data returned based on that user or pass in the user when you construct the repository.

Repository Pattern

Some like

public class DataRepository
{
    private _user;

    public DataRepority(User user)
    {
         _user =user;    
    }

    public IEnumerable<SalesData> GetMonthlySalesData(User user)
    {
        //code here
    }
}

A lot of water has gone under the bridge since the OP's original question. The answers provided were great then but they all require coding.

Since then, attribute-based access control (abac), an access control model put forward by NIST, has matured considerably. ABAC helps you express your authorization logic as configurable policies which you define, maintain, and execute externally in a central policy decision point.

There are several solutions out there that implement ABAC. I recommend you check out Wikipedia for more information.

Consider using your own custom attribute for these cross cutting concerns and implement possibly with a claims based identity system (ex. IClaimsIdentity - Windows Identity Foundation) for required attributes.

Since you are controlling data here based on users - I would also look into the Model View Presenter pattern for webforms since you are binding data, etc. See: http://msdn.microsoft.com/en-us/library/ff647117.aspx This allows you to better test your output based on whatever defined permissions you have and provides a better way to track your bindings to combo boxes, etc. than sticking a bunch of junk in your code behind.