ASP.NET Identity 2 hierarchical roles

Question

I'm building an ASP.NET MVC app with the Identity 2.0 Framework. I've added the users and roles on the AspNet* tables on SQL Server. Here's a sample of the roles:

• Finance
• General
• SquadLeader
• Management
• SystemAdmin

Someone with SystemAdmin has all other roles. Management includes SquadLeader and Finance .

When assigning these on AspNetUserRoles , I'd hate to list out every combination for each user. Is there a way to have one role be a group of roles or a hierarchy? So when I run User.IsInRole("Finance") it would be true for a user who has been assigned the SystemAdmin role? Thanks.

Answer 1

assuming these roles are "as is" and the list of roles here is all of them then you can translate this in to a flags based enum and a representation of a set of roles can be stored in the db as an integer.

Here's how it might work ...

public enum Role
{
   Finance = 1
   General = 2
   SquadLeader = 4
   Management = 8 
   SystemAdmin = 16
}

when apply this to my business logic I can say stuff like ...

var genAndSysAdmin = 18;
var genAndSysAdminFlags = Role.General || SystemAdmin;

Using this you can have a "RoleFlags" variable of type "Role" on a user object and do checks like ...

User.Roles.HasFlag(Role.Management) 

... to check if a user is in a given role. In other words in your example if the user has all other roles when they have sysAdmin the flags value would be ...

var allRoles = 16 + 8 + 4 + 2 + 1;

... essentially this works like a simple bitmap.

HOWEVER!

It is not recommended that we design our security model this way.

Instead we should create a normal role structure but then also allow the roles to have a child collection of roles and a parent role.

This would allow a more typical design that works something like an LDAP / Active Directory type setup ...

public class Role
{
    [Key]
    public Guid Id { get; set; }
    [ForeignKey("Parent")]
    public Guid ParentId { get; set; } 
    [Required]
    public string Name { get; set; }
    public virtual Role Parent { get; set; }
    public ICollection<User> Users { get; set; }
    public ICollection<Role> Children { get; set; }
}

public class User 
{
   [Key]
   public Guid Id { get; set; }
   ...
   public ICollection<Role> Roles { get; set; }
}

then we setup our data like this ...

new Role { Id = 1, Name = "SystemAdmin" }
new Role { Id = 2, Name = "Management", ParentId = 1 }
new Role { Id = 3, Name = "SquadLeader", ParentId = 2 }
...

... working this way allows you to inherit in a flexible manner the level of permissions of all the child roles in any given parent role and also treat your permissions like the Hierarchy you are trying to simulate whilst taking a more typical pattern and allowing you to add new roles in the future.