Merging organization unit and business roles in ASP.NET web application

In real-world enterprise web applications for enterprise businesses, we always need to limit the access to the data by the user's unit and role.

Consider that we have an enterprise company with many shopping stores in a country.

So the company has headquarter which has view acce开发者_Python百科ss to all invoices and statistics for all branches. Each region in the country manages and plans the regional sales strategies for its own branches. Then the region's user also can see the all invoices which have been created by its branches. Each branch can create invoice, customer, and view only its data.

We can see that we have two main access control definitions:

1- Roles (which has been thought and implemeneted many years ago!): we can easily implement using RoleProvider and controlling the access control in UI level (web.config and sitemap.config)

2- Units and its relation with roles to deny/grant the user access to update/view data.

I have implemented a custom principal in ASP.NET to get the user's unit and roles, but I think there should be a classic solution...

Check these out:

http://netsqlazman.codeplex.com/discussions/352107

http://lostechies.com/derickbailey/2011/05/24/dont-do-role-based-authorization-checks-do-activity-based-checks/

Here is MY explanation.

http://granadacoder.wordpress.com/2010/12/01/rant-hard-coded-security-roles/

............

The MembershipProvider is based on ROLES,....and that is for your kid's soccer club...NOT a professional DotNet application.

There is a "middle ground" workaround.

http://www.lhotka.net/weblog/CommentView,guid,9efcafc7-68a2-4f8f-bc64-66174453adfd.aspx

Basically. Use the MembershipProvider......but treat the word/phrase "Role" as "Right". (In your mind..you cannot change the names of objects in MS code of course)

Rocky's NUTSHELL ( from url above)

bool result = currentPrincipal.IsInRole(requiredPermission);