How do I to create a security policy by profile using Asp.Net MVC?

Question

I'm creating a system using Asp.Net MVC, but before I start to develop I need to define the security policy. I thought to create it by profile where each profile will have permissions to access, for example: Profile Administrative (all permissions), Profile Common (restrict access), Profile Manager (with some permissions of profile Administrative).

I thought to create a Profile with Permissions by Method's Name or Controllers and give permissions as boolean true/false, example: The method addNewProduct() , whether this method only works to Profile Administrative/Manager I will give permissions only for them, however, I don't know how could I do to get the Controller or Method's name to give these permissions.

Example:

Profiles

Administrative      |   Common             |   Manager
[x]addNewProduct    |   []addNewProduct    |   [x]addNewProduct

How could I do this ? Any suggestion ?

Answer 1

What you are looking for is not profiles but roles , and the technique is called Role-Based Authorization .

In ASP.NET MVC, you can use it like this:

[Authorize] //ensure a user is signed-in
public class MyController : Controller
{
    [Authorize(Roles = "Administrative,Manager")] // ensure the user is signed in and belongs in one of the roles
    public ActionResult DoSomething()
    {
        return View();
    }
}

Here, if, for example, Windows Authentication was enabled, the Authorize attribute would look for the user's Groups in Active Directory to confirm whether the user belong to one of those groups or not.