CODEWITHSUNDEEP
asp.netsqlasp.net-mvc-3
user1921730
user1921730

Reputation: 89

Data Level Authorization in ASP.Net MVC 3

I have to develop a user management application. I needs to authorize the user in data level Ex:

Taking a banking example:

  1. Clients - Ex: Bank1, Bank2, Bank3, Bank4.
  2. Branches State - Ex: Stat1, State2, State3, State4
  3. Branches District - Ex: District1, District2, District3, District4
  4. Facilities - Cheque, Direct Debit, Standing Order

When a user logs in, he will be able to see only some clients, some state branches, some district branches depends up on the branches, facilities etc assigned to him in user management application. These changes for different users.

Please can anyone help me out for this level of authorization any standard tools available or if not what will be the good db model for this ?

Upvotes: 7

Views: 822

Answers (3)

VVR147493
VVR147493

Reputation: 251

Thanks for the responses. Please find the sample data. It can go up to three / n-number of levels.

User1d UserName

USR1      John    
USR2      William
USR3      Joseph
USR4      Mathew
USR5      George

ClientId ClientName

CL1         Barclays
CL2         LLoyds TSB
CL3         Natwest
CL4         Nationwide
CL5         HSBC

CountryId CountryName

CON1        England
CON2        Wales
CON3        Scotland
CON4        Northern Ireland

CountryId CityId CityName

CON1        CTY1      Liverpool 
CON1        CTY2      Waterloo
CON1        CTY3      Piccadilly
CON2        CTY4      Cardiff   
CON2        CTY5      Ammanford
CON2        CTY6      Abergele
CON3        CTY7      Glasgow
CON3        CTY8      Edinburgh
CON3        CTY9      Aberdeen
CON4        CTY10     Belfast
CON4        CTY11     Hannahstown
CON4        CTY12     Springfield

CountryId CityId BranchId BranchName

CON1        CTY1      BRC1        Branch1
CON1        CTY1      BRC2        Branch2
CON1        CTY1      BRC3        Branch3
CON2        CTY4      BRC4        Branch4
CON2        CTY4      BRC5        Branch5
CON2        CTY4      BRC6        Branch6

UserId ClientId CountryId CityId BranchId

 USR1      CL1         CON1        CTY1      BRC1        
 USR1      CL1         CON1        CTY1      BRC2        
 USR2      CL2         CON1        CTY1      BRC1
 USR2      CL2         CON1        CTY1      BRC2

Upvotes: 0

GraemeMiller
GraemeMiller

Reputation: 12273

You could look at ClaimsPrincipal and using Claims based authorization. In .Net 4.5 WIF is integrated. Can see a summary here http://msdn.microsoft.com/en-us/library/ms729851.aspx

You would probably have to create access control lists around each of the entities in the system. Ultimately you need to have an easy way to uniquely define the entity I thought using a GUID. Then require a claim for that GUID. You could obviously get more complex and require read,write type permissions. You may end up with a lot of claims if you directly grant access per entity.

Ultimately do you want to be defining access rights on individual entities? Some sort of grouping may be better? If you can manage the bank you can manage all its states, if you manage its district you manage all the district branches etc.

I'd try grouping users into groups and then assigning access rights to the groups. When you manage files in NTFS you rarely find yourself granting access to an individual file.

If you grant someone permission for the group of entities do some sort of group check first and if they don't have that claim then do the entity check.

Probably need to do some custom stuff with http://msdn.microsoft.com/en-us/library/system.security.claims.claimsauthorizationmanager.aspx. Pass in the Claim that you want to Edit Bank etc and then it checks whether you have permission on that particular bank. I think you have to do the logic for the ACL in the CheckAccess method.

Also have a look at http://thinktecture.github.com/Thinktecture.IdentityModel.45/

I also found the following post http://leastprivilege.com/2012/06/24/approaches-to-server-side-authorization/ - read Luceros suggestion at the end. Basically as above

Upvotes: 1

JOBG
JOBG

Reputation: 4624

You need to implement your own Authorization mechanism, you need to create a control table where you store the user access level, (assuming a lot of things) something like:

UserAuthorization (UserId, EntityId, EntityType)

UserId: Reference to User.

EntityId: Id of the element you want to grant access to.

EntityType: Type of element you want to grant access (Client, State, District, Facility)

+--------+----------+------------+
| UserId | EntityId | EntityType |
+--------+----------+------------+
|      1 |        2 | CLIENT     |
|      1 |        2 | STATE      |
|      1 |        3 | DISTRICT   |
+--------+----------+------------+

You can use and should use an integer to represent EntityType, i wrote it like text just for the example.

Upvotes: 6

Related Questions