Roles & Related Permissions Question

RangerGuy posted on Saturday, September 09, 2006

UPDATE: I casted the Principal object to a custom principal object like so ((MyCustomPrincipal)Csla.ApplicationContext.User) This allowed me to create method to search the roles assigned to the user for an appropriate RightID :) Security Model is 80% compelete now. I believe :| -------------------------------------------------------------------------------------- UPDATE: I figured it out. The tough part is making the roles dynamic so an admin can use a tool to create roles. We don't want to hard code roles
into the business objects (I still need to figure out how to do this).

But I did get the NameValueList of Roles/Rights working. I don't know if it's right but the footprint is like this
NameValueList Key = RoleID, Value = RoleObject
The role object contains a list of permissions.
I have it pulling from the DB and bound to controls so I can make sure all is pulled correctly.

Now I just have to make the method in Identity to check to see if the users role has a specific right.

-------------------------------------------------------------------------------------------------------------------------------------------------------------- I am building the Security Section of our application this weekend and am hoping to get some insight. Our Users, Roles and Permissions are DB Driven.

Here is how our security model needs to function. The permission list is not user configurable but are stored
in the database.

1) Admin creates a Role called: Data Entry Clerk Level 1
2) Admin assigns specific permissions to the role.
3) Admin creates users.
3) Admin assigns users to the Data Entry Clerk Level 1 Role.
4) User logs in and system authenicates the users gets his/her role(s) and related permissions(I think).


The part I don't understand is where is the relationship between Roles and Permissions. It's easy in the
database but I don't understand how the BO's and UI are supposed to work with single permissions.

For Example: Admin Level 1 can view a specific set of Reports.

Our pages will have a permission id value hardcoded on the page.

When the user loads it's Role(S) should I also load the list of permissions associated to that role?

We don't want to hard code what role can access what feature. It needs to be DB driven. I'm a little confused
as how to fit this into CSLA security model. In our classic asp application that I am re developing now we just
used queries to make sure the use had a specific permission ID.