C＃：应用程序套件的安全性/用户权限，ldap适合吗？

Question

We are developing a suite of windows applications for a client and need to add a security module. The basic needs are fairly simple:
A function to return a list of permissions:

string[] AllowedApplications = Security.GetList("Applications");
string[] AllowedMenusAndButtons = Security.GetList("Functions"); 
//In General:
string[] AllowedObjects = Security.GetList(<ObjectType>);

With the allowed applications we decide if the current user can start the application and AllowedMenusAndButtons we decide which buttons/menus are enabled. The AllowedObjects will be used for row level security on objects.

For the administation of the rights we just need as simple GUI that allows users to be grouped together and the rights assigned to users or groups.

Is LDAP suitable for these requirements or would it be too much overhead. Is there another framework we can use or are we better off developing it ourselves?

Answer 1

A lot depends on how many number of users you have and in addition to permission management do you foresee the need of more such attributes might be required to be managed latter on?

If you don't have large number of users, a simple XML would do and you can use XPATH query to operate on XML easily. For large number of users, LDAP sounds feasible.

Btw, I am curious to know if AllowedMenusAndButtons will be used to "dispaly" menus which are valid of particular user? if so, I am hoping you will be performing authorization on server level for those menus. A common security bug is to display only the menus applicable and consider this as authorization. I'm not sure if AllowedObjects is that server level authorization, if it is, you are all good.