I am working on my first .NET development project that involves custom
role-based security per the project requirements. This lead to a general
design issue this week that really caused us some concern. I have described
the situation below because we are very curious to see what other, more
experienced, developers might suggest. The specific classes and fields are
used just to illustrate the concepts.
Our application uses role-based authorization security. Thus, we allow the
administrator to define roles to which the can define various permissions.
Permissions are defined relative to the various entities in the application,
such as Users, Customers, Services, etc. One such role might be defined as
follows:
Role: Administrator
Permissions: Add User, Delete User, View User, Update User
Thus a user that is added to the Administrator role is granted permission to
add, delete, view and update User entities. Once such a user is
authenticated, they will be authorized to perform those actions.
Now, consider that the User entity is abstracted by a User class, and
suppose that class has a Username field (among others). If an authenticated
user indicated that they would like to edit the Username field of a system
User entity, the system first checks to see what role the authenticated user
is in. If they are in an administrator role, they have the desired "Update
User" privilege described above, so the system instantiates a User object
and presents it to the user for editing. If, however, the user does not have
this permission, their request is denied and the system does not instantiate
an object.
So far, so good.
Now, suppose that another requirement is that ANY user that is logged into
the system must be granted permission to edit their own Username, regardless
of what role they are in. In otherwords, the currently authenticated user
should always be granted the ability edit their own Username.
Now, here is where we ran into a problem. If the currently authenticated
user would like to update their Username field, but they are not in an
Administrator role, the system will not allow the User object to be
instantiated, so they will not be able to edit their Username as desired.
The object that provides the functionality needed is not accessible. As we
began to think about this situation, it was not clear how best to solve the
problem and it lead to quite a bit of discussion. Naturally, we wondered if
this is a common problem for which there is a consensus solution in the
developer community, or whether there was just something inherently wrong
with our role-based security model, our object model or our logic.
Here are some of the solutions we considered. I was hoping to hear what
others think.
1. Create a hidden "System" role which has all possible permissions. Add a
hidden "System" user to this role. Anytime such a situation occurs, log out
the current user, log in the System user, perform the desired actions, then
log the current user back in.
2. Create a different class, with different security logic, that can be used
to expose the proper Username field to the currently authenticated user for
editing. This would mean that a single field in the DB would be editable
through two different classes.
3. Add additionaly security logic to the User class such that it functions
as follows: If the authenticated user requesting a User object has Update
User permission, instantiate the requesed User object. If the authenticated
user
does not have Update User permission, allow them the ability to instantiate
only the User entity that corresponds to themselves, and expose only the
Username field for editing (make all other fields read-only).
Any thoughts on the problem in general or the possible solutions? As we
thought about this situation and its possible solutions, it raised a few
other questions:
1. Is it considered good design for two different classes to both provide
read/write access to the same field in the database?
2. Does the use of a "SuperUser" account as described constitute a breech of
security?
3. Is it possible for a situation to arise in which the system might not be
able to discern the security context of a request to instantiate an object?
If so, would it be acceptable to use a parameter to communicate that
context?
Thanks! 3 2313
Perhaps a solution - although a slightly more complex one - would be to
explictly set permissions on the user object, rather than the role. What i
mean is, in Windows, any user can belong to groups and get some permission
based on this group membership. However, you can also explicitly set a
permission on the user to say, read a file.
I'd think that in the plumbing, upon instantiation of the User (or perhaps
Identity ) object, it is assigned permissions directly. So, I pseudo-code,
on the constructor of your data class there should be something like:
public myClass() {
new DataAccessPermission(DataAccessPermission.Read)Dem and();
// etc etc.
}
.... that permission demanding code should also be present in the properties
of your class.
What needs to be done for this though, is create your Permission sub-classes
( if an existing Permission class doesn't cover your requirements ), amd
possible implement some "plumbing" inside them to access the permission
you've set on the current user object. It's a bit tricky coding, but once
you've got it, you've a perfect case of re-use for almost any project
afterwards.
I think it's worth taking the time, actually I was planning to create that
sort of thing for the needs of my company as well in the near future,
because we're gonna re-use it in almost any project that requires security.
( This is actually a Java-driven approach, but I think the 2 frameworks are
more-or-less equivalent in functionality, so it shouldn't be very difficult
to implement without any major difficulties )
Hope this helped,
Angel
O:]
"craig" <e@mail.com> wrote in message
news:eD**************@TK2MSFTNGP14.phx.gbl... I am working on my first .NET development project that involves custom role-based security per the project requirements. This lead to a general design issue this week that really caused us some concern. I have
described the situation below because we are very curious to see what other, more experienced, developers might suggest. The specific classes and fields are used just to illustrate the concepts.
Our application uses role-based authorization security. Thus, we allow the administrator to define roles to which the can define various permissions. Permissions are defined relative to the various entities in the
application, such as Users, Customers, Services, etc. One such role might be defined as follows:
Role: Administrator Permissions: Add User, Delete User, View User, Update User
Thus a user that is added to the Administrator role is granted permission
to add, delete, view and update User entities. Once such a user is authenticated, they will be authorized to perform those actions.
Now, consider that the User entity is abstracted by a User class, and suppose that class has a Username field (among others). If an
authenticated user indicated that they would like to edit the Username field of a system User entity, the system first checks to see what role the authenticated
user is in. If they are in an administrator role, they have the desired "Update User" privilege described above, so the system instantiates a User object and presents it to the user for editing. If, however, the user does not
have this permission, their request is denied and the system does not
instantiate an object.
So far, so good.
Now, suppose that another requirement is that ANY user that is logged into the system must be granted permission to edit their own Username,
regardless of what role they are in. In otherwords, the currently authenticated user should always be granted the ability edit their own Username.
Now, here is where we ran into a problem. If the currently authenticated user would like to update their Username field, but they are not in an Administrator role, the system will not allow the User object to be instantiated, so they will not be able to edit their Username as desired. The object that provides the functionality needed is not accessible. As we began to think about this situation, it was not clear how best to solve
the problem and it lead to quite a bit of discussion. Naturally, we wondered
if this is a common problem for which there is a consensus solution in the developer community, or whether there was just something inherently wrong with our role-based security model, our object model or our logic.
Here are some of the solutions we considered. I was hoping to hear what others think.
1. Create a hidden "System" role which has all possible permissions. Add a hidden "System" user to this role. Anytime such a situation occurs, log
out the current user, log in the System user, perform the desired actions,
then log the current user back in.
2. Create a different class, with different security logic, that can be
used to expose the proper Username field to the currently authenticated user
for editing. This would mean that a single field in the DB would be editable through two different classes.
3. Add additionaly security logic to the User class such that it functions as follows: If the authenticated user requesting a User object has Update User permission, instantiate the requesed User object. If the
authenticated user does not have Update User permission, allow them the ability to
instantiate only the User entity that corresponds to themselves, and expose only the Username field for editing (make all other fields read-only).
Any thoughts on the problem in general or the possible solutions? As we thought about this situation and its possible solutions, it raised a few other questions:
1. Is it considered good design for two different classes to both provide read/write access to the same field in the database?
2. Does the use of a "SuperUser" account as described constitute a breech
of security?
3. Is it possible for a situation to arise in which the system might not
be able to discern the security context of a request to instantiate an
object? If so, would it be acceptable to use a parameter to communicate that context?
Thanks!
Actually, I've just found something that might make your life much easier,
and you can combine it with the previous post:
String id1 = "Bob";
String role1 = null;
PrincipalPermission PrincipalPerm1 = new PrincipalPermission(id1, role1);
String id2 = null;
String role2 = "Supervisor";
PrincipalPermission PrincipalPerm2 = new PrincipalPermission(id2, role2);
(PrincipalPerm1.Union(PrincipalPerm2)).Demand();
The following code will demand that the current IPrincipal of the system is
either user "Bob", or that the current IPrincipal is a "Supervisor" ... in
that manner, you can specify that the user accessing your data class is
either an Admin, or the user with the username specified by the class
instance itself - the only disadvantage is that upon construction of the
data object, you don't really know the username contained inside the
instance you're loading without doing a "select" from the DB ... but, almost
nothing is perfect, innit ? You get some small performance overhead, but
great ease-of-use codewise
O:]
"Angelos Karantzalis" <ak**********@agiltech.gr> wrote in message
news:#K**************@TK2MSFTNGP14.phx.gbl... Perhaps a solution - although a slightly more complex one - would be to explictly set permissions on the user object, rather than the role. What i mean is, in Windows, any user can belong to groups and get some permission based on this group membership. However, you can also explicitly set a permission on the user to say, read a file.
I'd think that in the plumbing, upon instantiation of the User (or perhaps Identity ) object, it is assigned permissions directly. So, I pseudo-code, on the constructor of your data class there should be something like:
public myClass() { new DataAccessPermission(DataAccessPermission.Read)Dem and(); // etc etc. }
... that permission demanding code should also be present in the
properties of your class.
What needs to be done for this though, is create your Permission sub-class
es ( if an existing Permission class doesn't cover your requirements ), amd possible implement some "plumbing" inside them to access the permission you've set on the current user object. It's a bit tricky coding, but once you've got it, you've a perfect case of re-use for almost any project afterwards.
I think it's worth taking the time, actually I was planning to create that sort of thing for the needs of my company as well in the near future, because we're gonna re-use it in almost any project that requires
security. ( This is actually a Java-driven approach, but I think the 2 frameworks
are more-or-less equivalent in functionality, so it shouldn't be very
difficult to implement without any major difficulties )
Hope this helped,
Angel O:]
"craig" <e@mail.com> wrote in message news:eD**************@TK2MSFTNGP14.phx.gbl... I am working on my first .NET development project that involves custom role-based security per the project requirements. This lead to a general design issue this week that really caused us some concern. I have described the situation below because we are very curious to see what other, more experienced, developers might suggest. The specific classes and fields
are used just to illustrate the concepts.
Our application uses role-based authorization security. Thus, we allow
the administrator to define roles to which the can define various
permissions. Permissions are defined relative to the various entities in the application, such as Users, Customers, Services, etc. One such role might be defined
as follows:
Role: Administrator Permissions: Add User, Delete User, View User, Update User
Thus a user that is added to the Administrator role is granted
permission to add, delete, view and update User entities. Once such a user is authenticated, they will be authorized to perform those actions.
Now, consider that the User entity is abstracted by a User class, and suppose that class has a Username field (among others). If an authenticated user indicated that they would like to edit the Username field of a
system User entity, the system first checks to see what role the authenticated user is in. If they are in an administrator role, they have the desired
"Update User" privilege described above, so the system instantiates a User
object and presents it to the user for editing. If, however, the user does not have this permission, their request is denied and the system does not instantiate an object.
So far, so good.
Now, suppose that another requirement is that ANY user that is logged
into the system must be granted permission to edit their own Username, regardless of what role they are in. In otherwords, the currently authenticated
user should always be granted the ability edit their own Username.
Now, here is where we ran into a problem. If the currently authenticated user would like to update their Username field, but they are not in an Administrator role, the system will not allow the User object to be instantiated, so they will not be able to edit their Username as
desired. The object that provides the functionality needed is not accessible. As
we began to think about this situation, it was not clear how best to solve the problem and it lead to quite a bit of discussion. Naturally, we wondered if this is a common problem for which there is a consensus solution in the developer community, or whether there was just something inherently
wrong with our role-based security model, our object model or our logic.
Here are some of the solutions we considered. I was hoping to hear what others think.
1. Create a hidden "System" role which has all possible permissions. Add
a hidden "System" user to this role. Anytime such a situation occurs, log out the current user, log in the System user, perform the desired actions, then log the current user back in.
2. Create a different class, with different security logic, that can be used to expose the proper Username field to the currently authenticated user for editing. This would mean that a single field in the DB would be editable through two different classes.
3. Add additionaly security logic to the User class such that it
functions as follows: If the authenticated user requesting a User object has
Update User permission, instantiate the requesed User object. If the authenticated user does not have Update User permission, allow them the ability to instantiate only the User entity that corresponds to themselves, and expose only the Username field for editing (make all other fields read-only).
Any thoughts on the problem in general or the possible solutions? As we thought about this situation and its possible solutions, it raised a few other questions:
1. Is it considered good design for two different classes to both
provide read/write access to the same field in the database?
2. Does the use of a "SuperUser" account as described constitute a
breech of security?
3. Is it possible for a situation to arise in which the system might not be able to discern the security context of a request to instantiate an object? If so, would it be acceptable to use a parameter to communicate that context?
Thanks!
Thanks Angelos. I really appreciate your taking the time to respond.
I will spend some time to study your posts. Looks like some good input.
"Angelos Karantzalis" <ak**********@agiltech.gr> wrote in message
news:eW**************@TK2MSFTNGP10.phx.gbl... Actually, I've just found something that might make your life much easier, and you can combine it with the previous post:
String id1 = "Bob"; String role1 = null; PrincipalPermission PrincipalPerm1 = new PrincipalPermission(id1, role1);
String id2 = null; String role2 = "Supervisor"; PrincipalPermission PrincipalPerm2 = new PrincipalPermission(id2, role2);
(PrincipalPerm1.Union(PrincipalPerm2)).Demand();
The following code will demand that the current IPrincipal of the system is either user "Bob", or that the current IPrincipal is a "Supervisor" ... in that manner, you can specify that the user accessing your data class is either an Admin, or the user with the username specified by the class instance itself - the only disadvantage is that upon construction of the data object, you don't really know the username contained inside the instance you're loading without doing a "select" from the DB ... but, almost nothing is perfect, innit ? You get some small performance overhead, but great ease-of-use codewise
O:]
"Angelos Karantzalis" <ak**********@agiltech.gr> wrote in message news:#K**************@TK2MSFTNGP14.phx.gbl... Perhaps a solution - although a slightly more complex one - would be to explictly set permissions on the user object, rather than the role. What i mean is, in Windows, any user can belong to groups and get some permission based on this group membership. However, you can also explicitly set a permission on the user to say, read a file.
I'd think that in the plumbing, upon instantiation of the User (or perhaps Identity ) object, it is assigned permissions directly. So, I pseudo-code, on the constructor of your data class there should be something like:
public myClass() { new DataAccessPermission(DataAccessPermission.Read)Dem and(); // etc etc. }
... that permission demanding code should also be present in the properties of your class.
What needs to be done for this though, is create your Permission sub-class es ( if an existing Permission class doesn't cover your requirements ), amd possible implement some "plumbing" inside them to access the permission you've set on the current user object. It's a bit tricky coding, but once you've got it, you've a perfect case of re-use for almost any project afterwards.
I think it's worth taking the time, actually I was planning to create that sort of thing for the needs of my company as well in the near future, because we're gonna re-use it in almost any project that requires security. ( This is actually a Java-driven approach, but I think the 2 frameworks
are more-or-less equivalent in functionality, so it shouldn't be very difficult to implement without any major difficulties )
Hope this helped,
Angel O:]
"craig" <e@mail.com> wrote in message news:eD**************@TK2MSFTNGP14.phx.gbl... > I am working on my first .NET development project that involves custom > role-based security per the project requirements. This lead to a > general > design issue this week that really caused us some concern. I have described > the situation below because we are very curious to see what other, more > experienced, developers might suggest. The specific classes and fields are > used just to illustrate the concepts. > > Our application uses role-based authorization security. Thus, we allow the > administrator to define roles to which the can define various permissions. > Permissions are defined relative to the various entities in the application, > such as Users, Customers, Services, etc. One such role might be defined as > follows: > > Role: Administrator > Permissions: Add User, Delete User, View User, Update User > > Thus a user that is added to the Administrator role is granted permission to > add, delete, view and update User entities. Once such a user is > authenticated, they will be authorized to perform those actions. > > Now, consider that the User entity is abstracted by a User class, and > suppose that class has a Username field (among others). If an authenticated > user indicated that they would like to edit the Username field of a system > User entity, the system first checks to see what role the authenticated user > is in. If they are in an administrator role, they have the desired "Update > User" privilege described above, so the system instantiates a User object > and presents it to the user for editing. If, however, the user does not have > this permission, their request is denied and the system does not instantiate > an object. > > So far, so good. > > Now, suppose that another requirement is that ANY user that is logged into > the system must be granted permission to edit their own Username, regardless > of what role they are in. In otherwords, the currently authenticated user > should always be granted the ability edit their own Username. > > Now, here is where we ran into a problem. If the currently > authenticated > user would like to update their Username field, but they are not in an > Administrator role, the system will not allow the User object to be > instantiated, so they will not be able to edit their Username as desired. > The object that provides the functionality needed is not accessible. As we > began to think about this situation, it was not clear how best to solve the > problem and it lead to quite a bit of discussion. Naturally, we > wondered if > this is a common problem for which there is a consensus solution in the > developer community, or whether there was just something inherently wrong > with our role-based security model, our object model or our logic. > > Here are some of the solutions we considered. I was hoping to hear what > others think. > > 1. Create a hidden "System" role which has all possible permissions. > Add a > hidden "System" user to this role. Anytime such a situation occurs, log out > the current user, log in the System user, perform the desired actions, then > log the current user back in. > > 2. Create a different class, with different security logic, that can be used > to expose the proper Username field to the currently authenticated user for > editing. This would mean that a single field in the DB would be > editable > through two different classes. > > 3. Add additionaly security logic to the User class such that it functions > as follows: If the authenticated user requesting a User object has Update > User permission, instantiate the requesed User object. If the authenticated > user > does not have Update User permission, allow them the ability to instantiate > only the User entity that corresponds to themselves, and expose only > the > Username field for editing (make all other fields read-only). > > Any thoughts on the problem in general or the possible solutions? As we > thought about this situation and its possible solutions, it raised a > few > other questions: > > 1. Is it considered good design for two different classes to both provide > read/write access to the same field in the database? > > 2. Does the use of a "SuperUser" account as described constitute a breech of > security? > > 3. Is it possible for a situation to arise in which the system might > not be > able to discern the security context of a request to instantiate an object? > If so, would it be acceptable to use a parameter to communicate that > context? > > Thanks! > >
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Oxygen |
last post by:
I am a developer contracted to a large utility company. This is my
first job out of university. I have been working in IT for 2 years
now. My work involves application development, maintenance, and...
|
by: tracy |
last post by:
hi,
just wonder, can we copy a role then add some new priviledges to the
new role.
hm.. i means, example; now i have a role named role_a. Then I copy
role_a to create role_b. After I created...
|
by: Ted |
last post by:
How do I grant all privileges for a schema that has a large number of
existing tables, procedures, functions, etc to a newly created role,
without having to issue a grant statement for each object...
|
by: gudia |
last post by:
How would I, using a sql script, copy permissions assigned to a user
or a role in one or more databases to another user or a role in their
respective databases?
Help appreciated
|
by: Mark White |
last post by:
Hey everyone
I'm having a great deal of problems finding this information through google
and yahoo, so I turn to you on this.
I have a Windows app running on XP. I am able to caputre the...
|
by: Louly |
last post by:
Hi everybody,
I'm a 22 yrs old girl. I've been developing a Database for 6 months no
using Access. A week ago I had this feeling that I'm wasting my time
in Access. I don't think it's wise to...
|
by: ferherra |
last post by:
Hi,
Hope someone can help...
I databind my gridview (asp.net 2.0) like this:
GridView1.DataSource = Membership.GetAllUsers();
(MembershipUserCollection)
GridView1.DataBind();
In the...
|
by: CK |
last post by:
Does anyone have any experience with this? We have an exisitng sql database
with user and role info. I need to write a custom role provider to use this
data. Does anyone have any examples of this...
|
by: cybertoast |
last post by:
i seem to have some misunderstanding about how roles work in sql server
2005. i see that i can add a role to a database
(dbname->->properties->permissions->. THis allows
me to add either users or...
|
by: monty |
last post by:
Hi All,
I am facing a problem while executing a statement through C++ code
using OLEDB API of Sql server.
There is a problem with DB_OWNER role. If I will enable the DB_OWNER
everything is...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
| |