ASP.NET 2.0 Security Membership Provider Pattern

Question

I am creating a website in ASP MVC. Can anyone give me some advice on using the built-in membership provider in the following way.

I want my users to create an Administrative account for themselves and then create accounts for the people in their organization, or the people that they want to give access to.

I guess in a Database it will look something like this:

Companies have Administrators. Administrators can give users access.

I am sure this pattern is used all over the place, I am just not sure how to implement it. Especially using the membership providers.

Thanks,

David

Answer 1

There is nothing special in implementing this. It can be easily accomplished by built-in features of ASP.NET 2.0:

1. Configure Web site to use membership (via web.config )
2. Enable role management (via web.config <roles enabled="true"> tag )
3. Add administrator accounts to Administrators role.
4. Control access to the administrative pages by using [Authorize(Roles="Administrators")] attribute in the controller action.
5. Require authentication on other non-admin actions ( [Authorize] )

Answer 2

When I did this, I used the Membership Provider for authentication however, the organization concept I created externally from the Provider. You could use the Profile Provider.

As for roles I would still use the Roles within the ASP.Net Membership Model.

Answer 3

You can create a role for those people and name it something like organizational-admin, though that's a bit long, you catch my drift :). And give those the power to create users with a regular user role. At least that's how i did it in one of my applications.

Ofcourse you'll keep the admin to yourself or to the person who is in charge of this particular site.

Gu's blog has a small example of how to implement the roles in an action filter.