A newbie question... In a web applicaiton, how do we deal with security, administration and roles in relation to the ASP.Net membership? How would an application gain/not gain access to data based on its “role”? It seems the authorization roles hard coded string values in the objects.
Thanks in advance.
You can think of authorization occurring at two levels in any application.
The first is easily solved using coarse-grained concepts like those provided by Windows security or IIS or ASP.NET. It is very easy in any of those models to allow/disallow users access to an app - or sometimes even broad regions of an app.
The second is more challenging, because it is business logic. The business users decide how to categorize users into roles or groups, and then they decide which groups of users are allowed to view, edit or act on various bits of data throughout the application.
In most cases these grouping concepts don't change very often, and they are almost always application-specific. This is why COM+, for instance, has its own concept of user roles, which is different from Windows itself - because most applications define an internal set of roles/groups that has little or nothing to do with network-level security groups like you'd find in Active Directory.
What I'm getting at, is that for most applications it is perfectly fine to hard-code the role names, because they don't change often, if at all.
If you have one of those rare applications where you actually need to change the role/group that can do certain operations (rather than just changing the membership of that role/group), then you'll need to load the role names at runtime. This is easily done, and this is specifically why I designed the AddAuthorizationRules() method the way I did. Notice that the code in that method is very data-driven and it would be trivial to call those methods based on data from a database, config file or other dynamic source.
Copyright (c) Marimer LLC