ASP.NET Permission Frameworks?
Problem
ASP.NET has no concept of associating permissions to roles.
My app
Current web application is using custom user membership and role providers. The app has 4 roles: superuser, admin, principal, and teacher. When the user logs in, they are redirected to their appropriate UI. For example, admins are redirected to admin interface, teachers are redi开发者_开发百科rected to teacher interface. Each interface has its own master page and aspx pages. A new requirement is that teachers are no longer allowed to view specific information or do specific functions. Information could be a field or a row in a gridview control, it could be functional as well (e.g. not able to click on a link to open a popup window, but still be able to see the link's text). Other roles also have need of specific "permission" requirements, but completely different than the teachers ones.
Proposed Solution
Create a database table to centralize mapping of permissionsToRoles like so:
CREATE TABLE [dbo].[PermissionToRole](
[PermissionID] [int] IDENTITY(1,1) NOT NULL primary key,
[Role] int NOT NULL,
[Control] [varchar](50) NOT NULL,
[ControlType] [varchar](50) NOT NULL,
[Function] [varchar](50) NOT NULL,
[Read] [bit] NULL,
[Write] [bit] NULL,
[Execute] [bit] NULL,
[Delete] [bit] NULL
)
Using the link example above we would get something like: "teacher", "labelName", "asp:label", "click", 1, 0, 0, 0 (can read the link but not "execute" the click)
The plan is to be able to do a few things:
- Use permissions to consolidate multiple aspx and logic into a single page (aspx). To reduce maintenance every time a new role is needed.
- Control at a all levels (tab -> control) a roles' aka groups' permissions. E.g. use this table to control visibility of controls at every level (tab, page, control). As well as individual functionality (e.g. click on a link control)
- Control what data is returned to the UI and what CRUD operations are allowed.
Are there frameworks out there for ASP.NET that can do this already? I'm pretty sure Content Management Systems (CMS) can do this, but this app will not use a CMS :). I really want to avoid reinventing the wheel.
Thanks!
Look at AzMan. I have a feeling that it's what you seek.
With AzMan you define operations and check if user authorized to do an operation in code. You can then define which roles allowed to do which operations and assign roles to users -- because you're checking against operations, not roles, no code changes will be necessary if you want to introduce a new role or reassign operations between roles.
Decided on trying NetSqlAzMan because:
- Not COM and IS .NET 4
- RDBMS for Data Store
- AOP (Aspect Oriented Programming) (Can use attributes instead of massive if/else checks)
- Lously coupled
- Handles Permissions to Roles scenarios
- Free
In truth, the ASP.net membership controls ought to be able to do what you want. Setting up a database with the appropriate schema allows you to use a huge suite of methods and objects to control user access. Like Luis mentions, you can access control pages and folders to certain roles, but if you want to lock out individual functions based on a user's role, you can use the IsUserInRole()
method.
There isn't a whole lot of point in reinventing the wheel if you can use a built-in, well-tested process.
精彩评论