By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,660 Members | 1,735 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,660 IT Pros & Developers. It's quick & easy.

* * * C# Application and Database Security Model * * *

P: n/a
I'm building a new C# web application that will provide my company
some administrative operations that were previously only completed
by tweaking the data in the database.

1. Encrypted password authentication
2. "Group" level permissions that allow permission overrides for specific
users
3. Ability to set permissions to view, edit, and read only - by user or
role.
4. Ability to set permissions based on data - certain users can only see
their related data
5. User based tracking - need to track what data has changed, and when, and
by what user

Example:

Security Roles:
Role A
Role B

Users:
User A
User B

End Result:
- We need to authenticate and allow access to the application to
both User A and User B.

- User A and User B are both company employees, but the operations
and data they have access to may be different.

- User A is in Role A, and User B is in Role B.

- Role B has access to their own operations, but also
has access to some of the same operations as Role A.

- User B/Role B can only see Data B (data specific to this users customers).

- User A/Role A can only see Data A (same as above) - BUT due to User A's
position in the company, they are also able to view User B customer data.

We are trying to utilize an "off the shelf" app like Authorization Manger
with
Windows 2003, or something similar like Impersonation and Delegation.

We are currently using a fairly simple database driven security model that
has
group level permissions, but we now have grown in size and have different
offices/IT departments, and we need an Enterprise level solution to be used
in all IT departments.

{ } Does anyone know if Authorization Manger, or another off the shelf
solution can do this?

{ } Has anyone had the same requirements and built their own component to
handle this?
If so, are you willing to share the architecture?

{ } Does anyone have any information that can point me in the right
direction?

Thanks

--Brian A
Aug 2 '06 #1
Share this Question
Share on Google+
5 Replies


P: n/a
Hello Brian,

Based on your description, you're going to develop a data-driven web
application through ASP.NET and want to perform role based security to
restrict different clients to perform certain data manipulation operations
in the web application, correct?

Based on my experience,here are some approaches you can consider:

1. For building data-driven web applications, ASP.NET (latest version 2.0)
has provided many rich UI controls for conveniently constructing a web
application which access data from backend data page and present the data
on web page. For general ASP.NET development information, you can visit the
following web sites:

http://www.asp.net/

http://msdn.microsoft.com/asp.net/

2. I've noticded that your main concern here is to provide security
authentication against client users and authorize certain users(with
certain roles) to access the resource they're allowed to access. Are the
users and roles here the windows account and groups or the custom users
and roles defined in your own database storage? In ASP.NET, you have the
following options:

1) If you're going to do authentication and authorization against windows
account and groups, you can configure the ASP.NET appilcation to use
windows authentication and also set the IIS virtual directory to use
intergrated windows authentication. Thus, we can get the authenticated
client user's windows identity in ASP.NET web application and then if some
pages are restricted to certain users, you can do the identity checking in
code and prevent any unauthorized users.

2) ASP.NET 2.0 also provide a well encapsulated Membership and role manager
framework which can help easily build web application that will
authenticate user against custom security account database and authroize
users against custom role database. Such application generally use Forms
Authentication and let the user input username/password credentials at the
login form. Here is a good blog article which listed many resources about
the membership and role management service in ASP.NET 2.0:

#ASP.NET 2.0 Membership, Roles, Forms Authentication, and Security
Resources
http://weblogs.asp.net/scottgu/archi...24/438953.aspx
3. As you also mentioned the AzMan, though it is not a naturally .net
managed based component, there are some resoruces introducing how to
integrate it in ASP.NET web application as security mechanism. Here is a
msdn article describing on this:

How To: Use Authorization Manager (AzMan) with ASP.NET 2.0
http://msdn.microsoft.com/library/en...9.asp?frame=tr
ue

All the above are some general information, you can have a look to see
whether any of them will suit your application scenario. And if you have
any further detailed or specific questions, please feel free to post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to

http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial

response from the community or a Microsoft Support Engineer within 1
business day is

acceptable. Please note that each follow up response may take approximately
2 business days

as the support professional working with you may need further investigation
to reach the

most efficient resolution. The offering is not appropriate for situations
that require

urgent, real-time or phone-based interactions or complex project analysis
and dump analysis

issues. Issues of this nature are best handled working with a dedicated
Microsoft Support

Engineer by contacting Microsoft Customer Support Services (CSS) at

http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Aug 3 '06 #2

P: n/a
Steven,

I will note my comments next to your text with *** in front of the text.

"Steven Cheng[MSFT]" <st*****@online.microsoft.comwrote in message
news:yn**************@TK2MSFTNGXA01.phx.gbl...
Hello Brian,

Based on your description, you're going to develop a data-driven web
application through ASP.NET and want to perform role based security to
restrict different clients to perform certain data manipulation operations
in the web application, correct?
*** Yes, certain users should only be able to see certain data, while some
*** users can see all data.
Based on my experience,here are some approaches you can consider:

1. For building data-driven web applications, ASP.NET (latest version 2.0)
has provided many rich UI controls for conveniently constructing a web
application which access data from backend data page and present the data
on web page. For general ASP.NET development information, you can visit
the
following web sites:

http://www.asp.net/

http://msdn.microsoft.com/asp.net/

2. I've noticded that your main concern here is to provide security
authentication against client users and authorize certain users(with
certain roles) to access the resource they're allowed to access. Are the
users and roles here the windows account and groups or the custom users
and roles defined in your own database storage? In ASP.NET, you have the
following options:
*** It's more like, 2 users that belong to the same role...one user might
*** have more privileges then the other, so the more privileged user might
*** be able to see more data (1 user can only see their customers, but the
more
*** privileged user can see their customers and everyone elses
>
1) If you're going to do authentication and authorization against windows
account and groups, you can configure the ASP.NET appilcation to use
windows authentication and also set the IIS virtual directory to use
intergrated windows authentication. Thus, we can get the authenticated
client user's windows identity in ASP.NET web application and then if some
pages are restricted to certain users, you can do the identity checking in
code and prevent any unauthorized users.
*** that is the plan, to use integrated security for the initial log in, but
then
*** we have to develop the security schema to handle indiviual access and
data
*** access after that
>
2) ASP.NET 2.0 also provide a well encapsulated Membership and role
manager
framework which can help easily build web application that will
authenticate user against custom security account database and authroize
users against custom role database. Such application generally use Forms
Authentication and let the user input username/password credentials at the
login form. Here is a good blog article which listed many resources about
the membership and role management service in ASP.NET 2.0:

#ASP.NET 2.0 Membership, Roles, Forms Authentication, and Security
Resources
http://weblogs.asp.net/scottgu/archi...24/438953.aspx
3. As you also mentioned the AzMan, though it is not a naturally .net
managed based component, there are some resoruces introducing how to
integrate it in ASP.NET web application as security mechanism. Here is a
msdn article describing on this:

How To: Use Authorization Manager (AzMan) with ASP.NET 2.0
http://msdn.microsoft.com/library/en...9.asp?frame=tr
ue

All the above are some general information, you can have a look to see
whether any of them will suit your application scenario. And if you have
any further detailed or specific questions, please feel free to post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to

http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial

response from the community or a Microsoft Support Engineer within 1
business day is

acceptable. Please note that each follow up response may take
approximately
2 business days

as the support professional working with you may need further
investigation
to reach the

most efficient resolution. The offering is not appropriate for situations
that require

urgent, real-time or phone-based interactions or complex project analysis
and dump analysis

issues. Issues of this nature are best handled working with a dedicated
Microsoft Support

Engineer by contacting Microsoft Customer Support Services (CSS) at

http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no
rights.
>


Aug 3 '06 #3

P: n/a
Hi Brian,

Thanks for the reply and I've got that your current plan is to use
intergrated windows security with custom authorization control. For custom
authorization control, here are some general suggestions:

1. If the access control (based on user or their roles) can be done mostly
at page level, you can build a custom httpmodule and put your application's
authorization code logic in the module(it can intercept all the page
requests comming in this application and determine whether to allow or end
or redirect the request). Here are some articles introducing the httpmodule:

#INFO: ASP.NET HTTP Modules and HTTP Handlers Overview
http://support.microsoft.com/kb/307985/

#How to: Create Custom HTTP Modules
http://msdn2.microsoft.com/en-us/library/ms227673.aspx
2.If you'll have small granularity authorization control such as set
different access controling on different parts of a single page, you will
need to build more custom code in your page's code logic to perform such
access control checking.

If there is anything else you care about, please feel free to post here.
Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.

Aug 4 '06 #4

P: n/a
Hello Brian,

Any further progress or got any other ideas on this?

If you have any other questions, please feel free to post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.

Aug 8 '06 #5

P: n/a
Hi guys. Just wanted to say that we're using azman to do everything
Brian wants... it's super easy.

<3

Aug 9 '06 #6

This discussion thread is closed

Replies have been disabled for this discussion.