* * * C# Application and Database Security Model * * *

Hello Brian,

Based on your description, you're going to develop a data-driven web
application through ASP.NET and want to perform role based security to
restrict different clients to perform certain data manipulation operations
in the web application, correct?

Based on my experience,here are some approaches you can consider:

1. For building data-driven web applications, ASP.NET (latest version 2.0)
has provided many rich UI controls for conveniently constructing a web
application which access data from backend data page and present the data
on web page. For general ASP.NET development information, you can visit the
following web sites:

http://www.asp.net/

http://msdn.microsoft.com/asp.net/

2. I've noticded that your main concern here is to provide security
authentication against client users and authorize certain users(with
certain roles) to access the resource they're allowed to access. Are the
users and roles here the windows account and groups or the custom users
and roles defined in your own database storage? In ASP.NET, you have the
following options:

1) If you're going to do authentication and authorization against windows
account and groups, you can configure the ASP.NET appilcation to use
windows authentication and also set the IIS virtual directory to use
intergrated windows authentication. Thus, we can get the authenticated
client user's windows identity in ASP.NET web application and then if some
pages are restricted to certain users, you can do the identity checking in
code and prevent any unauthorized users.

2) ASP.NET 2.0 also provide a well encapsulated Membership and role manager
framework which can help easily build web application that will
authenticate user against custom security account database and authroize
users against custom role database. Such application generally use Forms
Authentication and let the user input username/password credentials at the
login form. Here is a good blog article which listed many resources about
the membership and role management service in ASP.NET 2.0:

#ASP.NET 2.0 Membership, Roles, Forms Authentication, and Security
Resources
http://weblogs.asp.net/scottgu/archi...24/438953.aspx
3. As you also mentioned the AzMan, though it is not a naturally .net
managed based component, there are some resoruces introducing how to
integrate it in ASP.NET web application as security mechanism. Here is a
msdn article describing on this:

How To: Use Authorization Manager (AzMan) with ASP.NET 2.0
http://msdn.microsoft.com/library/en...9.asp?frame=tr
ue

All the above are some general information, you can have a look to see
whether any of them will suit your application scenario. And if you have
any further detailed or specific questions, please feel free to post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to

http://msdn.microsoft.com/subscripti...ult.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial

response from the community or a Microsoft Support Engineer within 1
business day is

acceptable. Please note that each follow up response may take approximately
2 business days

as the support professional working with you may need further investigation
to reach the

most efficient resolution. The offering is not appropriate for situations
that require

urgent, real-time or phone-based interactions or complex project analysis
and dump analysis

issues. Issues of this nature are best handled working with a dedicated
Microsoft Support

Engineer by contacting Microsoft Customer Support Services (CSS) at

http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Steven,

I will note my comments next to your text with *** in front of the text.

"Steven Cheng[MSFT]" <st*****@online.microsoft.comwrote in message
news:yn**************@TK2MSFTNGXA01.phx.gbl...

Hello Brian,

Based on your description, you're going to develop a data-driven web
application through ASP.NET and want to perform role based security to
restrict different clients to perform certain data manipulation operations
in the web application, correct?

*** Yes, certain users should only be able to see certain data, while some
*** users can see all data.

Based on my experience,here are some approaches you can consider:

1. For building data-driven web applications, ASP.NET (latest version 2.0)
has provided many rich UI controls for conveniently constructing a web
application which access data from backend data page and present the data
on web page. For general ASP.NET development information, you can visit

the

following web sites:

http://www.asp.net/

http://msdn.microsoft.com/asp.net/

2. I've noticded that your main concern here is to provide security
authentication against client users and authorize certain users(with
certain roles) to access the resource they're allowed to access. Are the
users and roles here the windows account and groups or the custom users
and roles defined in your own database storage? In ASP.NET, you have the
following options:

*** It's more like, 2 users that belong to the same role...one user might
*** have more privileges then the other, so the more privileged user might
*** be able to see more data (1 user can only see their customers, but the
more
*** privileged user can see their customers and everyone elses

>
1) If you're going to do authentication and authorization against windows
account and groups, you can configure the ASP.NET appilcation to use
windows authentication and also set the IIS virtual directory to use
intergrated windows authentication. Thus, we can get the authenticated
client user's windows identity in ASP.NET web application and then if some
pages are restricted to certain users, you can do the identity checking in
code and prevent any unauthorized users.

*** that is the plan, to use integrated security for the initial log in, but
then
*** we have to develop the security schema to handle indiviual access and
data
*** access after that

>
2) ASP.NET 2.0 also provide a well encapsulated Membership and role

manager

framework which can help easily build web application that will
authenticate user against custom security account database and authroize
users against custom role database. Such application generally use Forms
Authentication and let the user input username/password credentials at the
login form. Here is a good blog article which listed many resources about
the membership and role management service in ASP.NET 2.0:

#ASP.NET 2.0 Membership, Roles, Forms Authentication, and Security
Resources
http://weblogs.asp.net/scottgu/archi...24/438953.aspx
3. As you also mentioned the AzMan, though it is not a naturally .net
managed based component, there are some resoruces introducing how to
integrate it in ASP.NET web application as security mechanism. Here is a
msdn article describing on this:

How To: Use Authorization Manager (AzMan) with ASP.NET 2.0

http://msdn.microsoft.com/library/en...9.asp?frame=tr

ue

All the above are some general information, you can have a look to see
whether any of them will suit your application scenario. And if you have
any further detailed or specific questions, please feel free to post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead

==================================================

Get notification to my posts through email? Please refer to

http://msdn.microsoft.com/subscripti...ult.aspx#notif

ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial

response from the community or a Microsoft Support Engineer within 1
business day is

acceptable. Please note that each follow up response may take

approximately

2 business days

as the support professional working with you may need further

investigation

to reach the

most efficient resolution. The offering is not appropriate for situations
that require

urgent, real-time or phone-based interactions or complex project analysis
and dump analysis

issues. Issues of this nature are best handled working with a dedicated
Microsoft Support

Engineer by contacting Microsoft Customer Support Services (CSS) at

http://msdn.microsoft.com/subscripti...t/default.aspx.

==================================================

This posting is provided "AS IS" with no warranties, and confers no

rights.

>

Hi Brian,

Thanks for the reply and I've got that your current plan is to use
intergrated windows security with custom authorization control. For custom
authorization control, here are some general suggestions:

1. If the access control (based on user or their roles) can be done mostly
at page level, you can build a custom httpmodule and put your application's
authorization code logic in the module(it can intercept all the page
requests comming in this application and determine whether to allow or end
or redirect the request). Here are some articles introducing the httpmodule:

#INFO: ASP.NET HTTP Modules and HTTP Handlers Overview
http://support.microsoft.com/kb/307985/

#How to: Create Custom HTTP Modules
http://msdn2.microsoft.com/en-us/library/ms227673.aspx
2.If you'll have small granularity authorization control such as set
different access controling on different parts of a single page, you will
need to build more custom code in your page's code logic to perform such
access control checking.

If there is anything else you care about, please feel free to post here.
Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.

Hello Brian,

Any further progress or got any other ideas on this?

If you have any other questions, please feel free to post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.

Hi guys. Just wanted to say that we're using azman to do everything
Brian wants... it's super easy.

<3