Using roles in ASP.NET

Question

In asp.net web application I have restricted users actions depending on their roles like as follow

I have created three tables in database

Tables

Table: Users

UserID Username Password
1 Bob password1
2 Scott password2
3 Jisun password3
4 Sam password4
5 John password5

Table:Groups

GroupID Name
1 Administrators
2 Clerk
3 Manager
4 Cashier

Table:Roles

UserID GroupID
1 1
2 2
2 3
3 4
4 3
4 4

In Global.asax file I have written the following

Sub Application_AuthenticateRequest(sender As Object, e As EventArgs)
    If Request.IsAuthenticated Then
        'Determine this user's roles
        Dim reader As SqlDataReader = _
              SqlHelper.ExecuteReader(connection string, _
              CommandType.StoredProcedure, "rolesForUser", _
              New SqlParameter("@Username", User.Identity.Name))

        ' Create an array of role names
        Dim roleList As New ArrayList
        Do While reader.Read()
            roleList.Add(reader("Name"))
        Loop

        'Convert the roleList ArrayList to a String array
        Dim roleListArray As String() = roleList.ToArray(GetType(String))

        'Add the roles to the User Principal
        HttpContext.Current.User = _
             New GenericPrincipal(User.Identity, roleListArray)
    End If
End Sub

And in asp.net code-behind file the following code

If User.IsInRole("Administrator") then
  ' Display sensitive material
ElseIf User.IsInRole("Clerk") then
  ' Display moderately sensitive material
Else
  ' Display only bland material
End If

as of now it is working fine. Now a new requirement has araised that to allow the clerk to access some of (but not all) functionalities perfomred by administrator.

Do i need to change my source code to provide above new requirement?

Do I need to do the same again and again when such requirement araises in future ?

or anyother better way I can do please suggest me.

Answer 1

In addition to using an existing implementation of the plumbing code, such as the Membership Provider it might be wise to add an extra level of abstraction in order to make the solution less fragile. If the authorization is widespread it might be wise to map the roles to functionalities and in your code check if any of the user's roles has access to a certain functionality.

  If Authorizer.UserHasAccessToFunctionality(user, "Sensitive") Then
    ' Display sensitive material     
  Else If ...

The authorization logic in pseudo code:

public Shared Function UserHasAccessToFunctionality(user as IPrincipal, _
   functionality as string) as Boolean
     functionalities = Authorizationrepository.GetFunctionalityForRoles(user.Roles)
     Return functionalities.Contains(functionality)
  End Function

The AuthorizationRepository would be loading the functionalities that an array of roles have access to.

In the database you would map the functionalities to the roles that have access to them

Table: Functionalities

ID Name
1  Sensitive
2  Protected
3  Public

Table: RoleFunctionalities

Role Functionality
1    1
1    2
2    2
3    3

Answer 2

ASP.NET has since version 2.0 a great part of standard out of the box functionality which allows you to use Membership and Roles. There are some great resources on how to use the standard functionality:ASP.NET security tutorials.

If you should already have a legacy database then it's quite easy to create a custom provider and plug that in. For example a custom membership provider.

If you're concerned with having multiple databases you can check out this article: Create Membership tables in another database than the standard aspnetdb.mdf.

Answer 3

You need to decouple your role membership (you have called them groups) from the application code, and move to a permission-based authentication model. This will allow you to change the permissions for each group as future requirements change as you have suggested.

If you want to implement this using your current data model, you will need to create a new permissions table which is related to your groups via a many-to-many table. You should only ever check permissions rather than group membership in your application code. You can simply modify which groups have which permissions via the many-to-many table direct, or put a simple admin interface over the top.

Answer 4

As Robin Day has stated, what you'll be changing isn't the roles paradigm you've implemented, but rather the specific functionality a "clerk" has access to. These changes will take place wherever (code-behind, inline code, classes, etc.) you're defining, etc. the actions a clerk is performing.

My next question isn't related to the clerk functionality per se, but have you looked at ASP.NET Membership (and the SqlRoleProvider) and its implementation of roles?

Answer 5

I strongly suggest you take yourself a day's time to investigate the functionality of custom ASP.NET Membership and Roles provider. There are so many tasks that are done 'under the hood' when Membership is used correctly. You can secure whole pages, single navigation nodes (using SiteMapProvider) or even single controls with a one-liner.

Answer 6

The code you should change is you asp.net code-behind files.

This should be used to show "Clerks" the additional information they need.

You should not elevate the privelages of a Clerk to that of an Administrator, just give the Clerks the rights they should have.