How to determine the Website Administrator?

Question

In an ASP.NET Project (C#) and SQL Server 2008, how should an Administrator be determined?

Should I have an attribute in my Users table to determine the Admin? Even though I have only 1 Admin?

id           username            type
--------------------------------------
1            Ali1                admin
2            James3              user
3            Carlos31            user
4            Kuku                user

OR

Should the Admin be determined by a special ID when checking the Session ?

Let's say the Admin is the user with the id=1

if(Session["id"].toString().Equals("1"))
{
    //Admin
}
else
{
    //Normal User
}

Which approach is better and more secure? is there a better one?

Answer 1

I would suggest creating a schema like:

http://dbpatterns.com/documents/50851b3189cbad4b9fd5b45a/

So you have a user table and a level table.

In the level table have something like:

id           level
-------------------
1            admin
2            user

Then in the user table give each user a level number, that way you can just add levels easily and have a definition to lookup against.

Or if you wanted to go overkill:

Have a 3rd table storing the user ID and the level ID so users could have more than one role

In the user_level_link table have something like:

user_id    level
-------------------
1            1
2            1
2            2

Definitely don't do it against a single ID as it can cause issues when you intend to scale the site further.

Answer 2

I would not check for a specific id, but rather for a user type. You don't know if the data will ever change or if you'll ever have to add additional admins. It's generally a bad idea to hard code values like this in your application. Instead, create a UserType class and check for a UserType.Admin or UserType.User role and handle the code in your BLL and/or DAL.

So to answer your question, you're first implementation would work well.

Good luck.