How to handle authorization in an application?
Question
I have the authentication portion of an ASP.NET 3.5 web application complete. I would like to know more about common authorization patterns.
May I present my current authorization structure:
I have a database with "Module" and "Operation" tables. Modules represent systems in the application and operations represent actions that one is able to perform within a system.
Customer, Order, Billing would be a defined as a module. An "operation" is related to a module: Customer.Add, Customer.Delete would be customer operations.
Each user has a role which has access to certain operations, depending on their role.
Please note that page menus are generated based on user's access, and users will not see modules and operations they do not have access to.
My questions begin with how to implement an authorization scheme here, possibly using an existing pattern or technique.
How and when should I secure the module, and check the authorization of a user to perform an operation on said module?
I have not implemented this yet, but here is one way I thought of:
- User clicks on an operation: Module: Customers | Operation: Add
- In the click event I look at the user's role, I verify that the user can perform the operation, then I fire the operation or direct the user accordingly.
Please pardon the obscure nature of this question. I am not sure what to ask here.
I am looking to see how people handle authorization, and how people allow / disallow access to business methods. I am not sure is declarative security is what I need, or if the simple example I provided above is the way to go.
There are many options for me here and the possibilities seem endless. Please let me know if there are any models or patterns I can look to handle authorization inside of an application.
3 answers
solution1
1 ACCPTED 2011-02-09 16:02:37
If you want it like that then start small.
First implement functionality along the lines of public bool User.HasRightsFor(Module m, Action a) with overloads. It can be even static because you can get the current user from the system.
You can then simply ask if the user has right for the current action/module/whatever and act accordingly.
It is very similar to what you currently have thought of with the exception of that I would not look at the roles and then decice but directly return the result. You can solve the internals later and the system will be easier to modify.
You can easily integrate such system with (eg) ASP.NET Role-Based Authorization .
solution2
0 2014-02-17 08:48:34
I know my answer is a late-comer but I would just like to point out that in scenarios where you have dynamic access control needs such as the one you described with multiple attributes / parameters kicking in, you want to consider attribute-based access control (ABAC) and the eXtensible Access Control Markup Language (XACML) which implements ABAC.
You can read more on both at these reference sites:
- NIST's site on ABAC.
- OASIS XACML Technical Committee
With XACML you can define policies such as:
- a customer can pay a bill they own
- a customer can view the bills they are assigned to and the bills assigned to people they are responsible for (children for instance)
- a customer representative can manage bills in the region the representative is assigned to
- ...
solution3
0 2011-02-09 17:35:32
Have you looked at Microsoft-s AzMan-Authorization Manager ?
It contains an API to program against to ask Operations and a gui (azman.msc) where you can define roles and map rights and store them in an xml-file.
So instead of defining module+operation ("Customer" plus "Add") in you approach you can define a AzMan-Operation "CustomerAdd.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.