Reputation: 458
Custom Role based authentication
I have a very complex requirements to implement the roles and permissions in my asp.net mvc 4 application. I know about ASP.NET Identity authentication but that does not fit into my requirements.
I have 15-20 controllers in my applications which have their respective views, some of views have partial views which are being handled in Jquery code and loaded from there.
Now I have below requirements:
1)Some of controller are accessible to a perticular role(s) only. 1) Some of views in a controller are accessible to a perticular role(s) only. 2) In a view for a Grids only some of columns and actions like Edit/Create/Delete are accessible to a perticular role(s) only.
I am thinking to implement checks on controller , actions and views on the basis of role but that can lead into a problem when I have multiple roles and custom roles in future. What can be best way to implement this kind of solutions. Any suggestions will be appreciated.
Upvotes: 0
Views: 503
Answers (1)
Reputation: 13834
Every time you have "complex" authorization requirements, it's a pretty good indication that "identity-centric" access control is not enough. What's identity-centric? Authorization that relies on user metrics (identity, role, group) only.
Also, in your question, you list the fact that you do not know what the future holds. You do not know what other custom roles you need to implement.
All this means you need to extend your existing RBAC implementation with attribute-based access control (abac). ABAC gives you 3 interesting elements which you do not have in RBAC:
- A policy language. You can express complex authorization challenges using this policy language (either of xacml or alfa). In particular you can express things like Permit if user department==record department.
- An architecture: the architecture identifies key components with specific responsibilities. For instance, you have a Policy Decision Point (PDP) which produces authorization decisions. You have a Policy Enforcement Point (PEP) which is the piece that sits in front of or inside your application. The PEP protects the application.
- a Request / Response scheme between the PEP and the PDP. The standard format is a Yes/No question as shown in the diagram below. JSON can be used to encode the requests.
From your point of view, you have two options. Either:
- Implement claims-based authorization. This is available OOTB in .NET
- Bring in XACML. I'm not sure .NET has any native libraries but there are SDKs out there.
Upvotes: 1
Related Questions
- Custom role based authorization (without membership)
- Custom Role Authorization by Session
- Custom user authorization based with roles in asp.net mvc
- Custom MVC4 Authorization Role Management
- Customized authorization attribute in MVC 4 with Roles
- ASP.NET MVC4 authorization depending on role and information
- Role Based Authorization with an Extra Twist
- ASP.Net role based form authentication
- How can I implement/Create role based custom user authentication in asp.net MVC 3
- Role based authentication feed back to user in ASP.NET MVC