Good Morning,
I was looking for some feedback, guidance, input, comments, suggestions or
just general thoughts on the following:
For our internal development, I'm trying to create a general, reusable
security framework that is very flexible. It would have to handle both
Authentication and Authorization. The access levels allowed on each 'object'
would be: View/Edit/Read/Write.
Essentially, the first thought that came to mind was to model it after the
way ACL's work in Windows NTFS. This way, I have the flexibility to assign
View/Edit/Read/Write permissions to each button, form, or any other
object/grouping of objects available in any given application.
Unfortunately, all I know about the way ACL's work is what I see as an end
user. I'm assuming each 'object' gets some form of a unique identifier
(guid?). Each user in the system is then linked to a guid along with an
access level (Read, write, etc). This info is stored in a database/xml
file/wherever. Is this a valid approach?
***The question then becomes: How do I do this in an efficient & elegant
manner? I dont want to have to put an IF statement around each and every
button, form or object access!
How do you guys do it? Are there any resources, other people that have
done/attempted something like this in the past?
thanks in advance!
-ZD
7  1018 
Z D,
Generally, I'm not too concerned about user interface element access.
If you have designed your app correctly, you can have people hitting
whatever button they want, because those buttons will call into your
business layer, which has code that is not tied to the UI. Is is there that
you will begin your security checks.
Now, in this area, you have a number of options. It's actually possible
to create your own ACL (and take advantage of the infrastructure that
windows provides). There is a good article showing how to do this (in
unmanaged code which can be converted to managed code) on MSDN titled
"Techniques for Securing Private Objects in Your Applications", located at
(watch for line wrap): http://msdn.microsoft.com/security/d...ateObjects.asp
Hope this helps.
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com
"Z D" <NO****@NOSPAM.com> wrote in message
news:ev**************@TK2MSFTNGP09.phx.gbl... Good Morning,
I was looking for some feedback, guidance, input, comments, suggestions or
just general thoughts on the following:
For our internal development, I'm trying to create a general, reusable
security framework that is very flexible. It would have to handle both
Authentication and Authorization. The access levels allowed on each
'object' would be: View/Edit/Read/Write.
Essentially, the first thought that came to mind was to model it after the
way ACL's work in Windows NTFS. This way, I have the flexibility to
assign View/Edit/Read/Write permissions to each button, form, or any other
object/grouping of objects available in any given application.
Unfortunately, all I know about the way ACL's work is what I see as an end
user. I'm assuming each 'object' gets some form of a unique identifier
(guid?). Each user in the system is then linked to a guid along with an
access level (Read, write, etc). This info is stored in a database/xml
file/wherever. Is this a valid approach?
***The question then becomes: How do I do this in an efficient & elegant
manner? I dont want to have to put an IF statement around each and every
button, form or object access!
How do you guys do it? Are there any resources, other people that have
done/attempted something like this in the past?
thanks in advance!
-ZD
Hi, Z D
Why you do not include Delete into your model? IMO, write is more like
Update. Do you consider Add role too? What about Confirm or Authorize?
You make one big "mistake" in planning your framework - you start from
technical issues, like ACLs, NTFS and available low-level functionality.
Business requirements usually ignore technical issues and are more general
and fuzzy than simple file/objects permissions.
Flexible security framework should target flexible way of permission
definition and efficient implementation of declaration and run-time checks.
I would suggest as first step to take a look at Attributes namespaces in
..Net and also Permission classes and methods. It's not really useful,
however good starting point
HTH
Alex
"Z D" <NO****@NOSPAM.com> wrote in message
news:ev**************@TK2MSFTNGP09.phx.gbl... Good Morning,
I was looking for some feedback, guidance, input, comments, suggestions or
just general thoughts on the following:
For our internal development, I'm trying to create a general, reusable
security framework that is very flexible. It would have to handle both
Authentication and Authorization. The access levels allowed on each
'object' would be: View/Edit/Read/Write.
Essentially, the first thought that came to mind was to model it after the
way ACL's work in Windows NTFS. This way, I have the flexibility to
assign View/Edit/Read/Write permissions to each button, form, or any other
object/grouping of objects available in any given application.
Unfortunately, all I know about the way ACL's work is what I see as an end
user. I'm assuming each 'object' gets some form of a unique identifier
(guid?). Each user in the system is then linked to a guid along with an
access level (Read, write, etc). This info is stored in a database/xml
file/wherever. Is this a valid approach?
***The question then becomes: How do I do this in an efficient & elegant
manner? I dont want to have to put an IF statement around each and every
button, form or object access!
How do you guys do it? Are there any resources, other people that have
done/attempted something like this in the past?
thanks in advance!
-ZD
Arghh!, this sounds like a hellish project to me. If you really need this
sort of control you need to come up with a set of interfaces for each of
your objects to implement.
For example, your might want a button to be greyed out if no access is
applied or in the case of a text box, you might want the contents to show
blank and the box to remain visible.
This can get awfully complex because its not really something which .NET
implements at this level of granularity. You will have to come up with
inherited designs for all your design time objects.
If I were you, I would think of another approach to this.
Regards - OHM
"Z D" <NO****@NOSPAM.com> wrote in message
news:ev**************@TK2MSFTNGP09.phx.gbl... Good Morning,
I was looking for some feedback, guidance, input, comments, suggestions or
just general thoughts on the following:
For our internal development, I'm trying to create a general, reusable
security framework that is very flexible. It would have to handle both
Authentication and Authorization. The access levels allowed on each
'object' would be: View/Edit/Read/Write.
Essentially, the first thought that came to mind was to model it after the
way ACL's work in Windows NTFS. This way, I have the flexibility to
assign View/Edit/Read/Write permissions to each button, form, or any other
object/grouping of objects available in any given application.
Unfortunately, all I know about the way ACL's work is what I see as an end
user. I'm assuming each 'object' gets some form of a unique identifier
(guid?). Each user in the system is then linked to a guid along with an
access level (Read, write, etc). This info is stored in a database/xml
file/wherever. Is this a valid approach?
***The question then becomes: How do I do this in an efficient & elegant
manner? I dont want to have to put an IF statement around each and every
button, form or object access!
How do you guys do it? Are there any resources, other people that have
done/attempted something like this in the past?
thanks in advance!
-ZD
Hi Nicholas,
Thanks very much for your response.
1) I agree with you. My UI is totally separated from my core business
logic. However, I would still like the UI to be able to "query" the
business logic so that if a user does not have access to hit the delete
button then it would be greyed out. This just provides for a richer user
experience IMO.
2) Thankyou very much for the link. I will definetly take a look at it.
Thanks again,
-ZD
"Nicholas Paldino [.NET/C# MVP]" <mv*@spam.guard.caspershouse.com> wrote in
message news:uS**************@TK2MSFTNGP11.phx.gbl... Z D,
Generally, I'm not too concerned about user interface element access.
If you have designed your app correctly, you can have people hitting
whatever button they want, because those buttons will call into your
business layer, which has code that is not tied to the UI. Is is there
that you will begin your security checks.
Now, in this area, you have a number of options. It's actually
possible to create your own ACL (and take advantage of the infrastructure that
windows provides). There is a good article showing how to do this (in
unmanaged code which can be converted to managed code) on MSDN titled
"Techniques for Securing Private Objects in Your Applications", located at
(watch for line wrap):
http://msdn.microsoft.com/security/d...ateObjects.asp
Hope this helps.
--
- Nicholas Paldino [.NET/C# MVP]
- mv*@spam.guard.caspershouse.com
"Z D" <NO****@NOSPAM.com> wrote in message
news:ev**************@TK2MSFTNGP09.phx.gbl... Good Morning,
I was looking for some feedback, guidance, input, comments, suggestions
or just general thoughts on the following:
For our internal development, I'm trying to create a general, reusable
security framework that is very flexible. It would have to handle both
Authentication and Authorization. The access levels allowed on each
'object' would be: View/Edit/Read/Write.
Essentially, the first thought that came to mind was to model it after
the way ACL's work in Windows NTFS. This way, I have the flexibility to
assign View/Edit/Read/Write permissions to each button, form, or any other
object/grouping of objects available in any given application.
Unfortunately, all I know about the way ACL's work is what I see as an
end user. I'm assuming each 'object' gets some form of a unique identifier
(guid?). Each user in the system is then linked to a guid along with an
access level (Read, write, etc). This info is stored in a database/xml
file/wherever. Is this a valid approach?
***The question then becomes: How do I do this in an efficient & elegant
manner? I dont want to have to put an IF statement around each and every
button, form or object access!
How do you guys do it? Are there any resources, other people that have
done/attempted something like this in the past?
thanks in advance!
-ZD
Hi OHM,
Thanks for your response.
I agree that it seems like its going to be a tough job. Do you have any
suggestions for alternatives right off the top of your head? How do you go
about controlling access in your applications?
thanks!
-ZD
"One Handed Man ( OHM#)" <news.microsoft.com> wrote in message
news:e0**************@TK2MSFTNGP10.phx.gbl... Arghh!, this sounds like a hellish project to me. If you really need this
sort of control you need to come up with a set of interfaces for each of
your objects to implement.
For example, your might want a button to be greyed out if no access is
applied or in the case of a text box, you might want the contents to show
blank and the box to remain visible.
This can get awfully complex because its not really something which .NET
implements at this level of granularity. You will have to come up with
inherited designs for all your design time objects.
If I were you, I would think of another approach to this.
Regards - OHM
"Z D" <NO****@NOSPAM.com> wrote in message
news:ev**************@TK2MSFTNGP09.phx.gbl... Good Morning,
I was looking for some feedback, guidance, input, comments, suggestions
or just general thoughts on the following:
For our internal development, I'm trying to create a general, reusable
security framework that is very flexible. It would have to handle both
Authentication and Authorization. The access levels allowed on each
'object' would be: View/Edit/Read/Write.
Essentially, the first thought that came to mind was to model it after
the way ACL's work in Windows NTFS. This way, I have the flexibility to
assign View/Edit/Read/Write permissions to each button, form, or any other
object/grouping of objects available in any given application.
Unfortunately, all I know about the way ACL's work is what I see as an
end user. I'm assuming each 'object' gets some form of a unique identifier
(guid?). Each user in the system is then linked to a guid along with an
access level (Read, write, etc). This info is stored in a database/xml
file/wherever. Is this a valid approach?
***The question then becomes: How do I do this in an efficient & elegant
manner? I dont want to have to put an IF statement around each and every
button, form or object access!
How do you guys do it? Are there any resources, other people that have
done/attempted something like this in the past?
thanks in advance!
-ZD
Hi AlexS,
Sorry, Delete is definetly a requirement. I just forgot to list it in my
post. Not sure about Confirm or Authorize, how would those fit in?
My plan was to create the foundation using ACL's, etc in order to provide a
very flexible security framework. The business logic would then encapsulate
& use this at a higher level when any authorization is required. This would
take into account all the business & "fuzzy" requirements.
Thank's very much for your response. I like the idea of using attributes, I
will look into it further.
Regards,
-ZD
"AlexS" <sa***********@SPAMsympaticoPLEASE.ca> wrote in message
news:u0****************@tk2msftngp13.phx.gbl... Hi, Z D
Why you do not include Delete into your model? IMO, write is more like
Update. Do you consider Add role too? What about Confirm or Authorize?
You make one big "mistake" in planning your framework - you start from
technical issues, like ACLs, NTFS and available low-level functionality.
Business requirements usually ignore technical issues and are more general
and fuzzy than simple file/objects permissions.
Flexible security framework should target flexible way of permission
definition and efficient implementation of declaration and run-time
checks. I would suggest as first step to take a look at Attributes namespaces in
.Net and also Permission classes and methods. It's not really useful,
however good starting point
HTH
Alex
"Z D" <NO****@NOSPAM.com> wrote in message
news:ev**************@TK2MSFTNGP09.phx.gbl... Good Morning,
I was looking for some feedback, guidance, input, comments, suggestions
or just general thoughts on the following:
For our internal development, I'm trying to create a general, reusable
security framework that is very flexible. It would have to handle both
Authentication and Authorization. The access levels allowed on each
'object' would be: View/Edit/Read/Write.
Essentially, the first thought that came to mind was to model it after
the way ACL's work in Windows NTFS. This way, I have the flexibility to
assign View/Edit/Read/Write permissions to each button, form, or any other
object/grouping of objects available in any given application.
Unfortunately, all I know about the way ACL's work is what I see as an
end user. I'm assuming each 'object' gets some form of a unique identifier
(guid?). Each user in the system is then linked to a guid along with an
access level (Read, write, etc). This info is stored in a database/xml
file/wherever. Is this a valid approach?
***The question then becomes: How do I do this in an efficient & elegant
manner? I dont want to have to put an IF statement around each and every
button, form or object access!
How do you guys do it? Are there any resources, other people that have
done/attempted something like this in the past?
thanks in advance!
-ZD
ZD,
I created a home grown security model for my projects. The model is
directly linked to our HR application and works well as any changes in staff
are immediately placed into action.
I created a simple database model that houses:
(1) views into the users and groups tables in HR
(2) Applications
(3) Connection strings
(4) User and Group Roles
(5) An other users tables for users that are not employees (consultants that
may need access to the application that have rights to log into the network)
On top of these tables I created a simple object model that is used to query
the database. The model is used in any of my UI's, both windows and web.
Security is role based and is enforced in the UI, trying to implement the
security in your business layer is not only difficult but probably
unnecessary.
Regards,
Dan
"Z D" <NO****@NOSPAM.com> wrote in message
news:ev**************@TK2MSFTNGP09.phx.gbl... Good Morning,
I was looking for some feedback, guidance, input, comments, suggestions or
just general thoughts on the following:
For our internal development, I'm trying to create a general, reusable
security framework that is very flexible. It would have to handle both
Authentication and Authorization. The access levels allowed on each
'object' would be: View/Edit/Read/Write.
Essentially, the first thought that came to mind was to model it after the
way ACL's work in Windows NTFS. This way, I have the flexibility to
assign View/Edit/Read/Write permissions to each button, form, or any other
object/grouping of objects available in any given application.
Unfortunately, all I know about the way ACL's work is what I see as an end
user. I'm assuming each 'object' gets some form of a unique identifier
(guid?). Each user in the system is then linked to a guid along with an
access level (Read, write, etc). This info is stored in a database/xml
file/wherever. Is this a valid approach?
***The question then becomes: How do I do this in an efficient & elegant
manner? I dont want to have to put an IF statement around each and every
button, form or object access!
How do you guys do it? Are there any resources, other people that have
done/attempted something like this in the past?
thanks in advance!
-ZD
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Z D |
last post by:
Good Morning,
I was looking for some feedback, guidance, input, comments, suggestions or
just general thoughts on the following:
For our internal development, I'm trying to create a general,...
|
by: Earl Teigrob |
last post by:
Background:
When I create a ASP.NET control (User or custom), it often requires security to be set for certain functionality with the control. For example, a news release user control that is...
|
by: Earl Teigrob |
last post by:
Background:
When I create a ASP.NET control (User or custom), it often requires security to be set for certain functionality with the control. For example, a news release user control that is...
|
by: Jeremy S. |
last post by:
..NET's code Access Security enables administrators to restrict the types of
things that a .NET application can do on a local computer. For example, a
..NET Windows Forms application can be...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
| |
