Better way to manage a Role-Based ASP.NET MVC Web Application

Question

3.00/5 (1 vote)

See more:

Hi friends;

I am relatively new to ASP.NET MVC. I so much like it and started using to build some small app.

Now, I want the user to create Role and priviledges as well as User attached to one or more roles in the following example

Administrator
CanCreateUserAccount
CanEditUserAccount
Etc

HR
CanApproveLeave
CanEffectLoan
ETC

Employee
CanApplyForLeave
CanRaiseIOU
ETC

How best can I implement this in my MVC app?

Note: the user creates the roles by them self but choose the priviledges from list of items (EnumGenerated List from my code).

Thanks for your understanding and greate support.

Posted 27-Mar-12 12:39pm

awedaonline

Updated 27-Mar-12 13:31pm

Not Active

v2

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Not Active · Accepted Answer · 2012-03-27T13:37:00

Solution 1

This might give you some ideas, http://weblogs.asp.net/fredriknormen/archive/2007/11/25/asp-net-mvc-framework-security.aspx[^]

However, it is not a good design to allow users themselves to create the roles and choose the privileged. Of course everyone will choose the highest level of access which defeats the purpose of having any security in the first place.

Posted 27-Mar-12 13:37pm

Not Active

Comments

awedaonline 28-Mar-12 3:22am

Thanks Mark, but this is hard-coding ways of creating role. I don't know how many roles required, so, I want the system administrator of my client to create roles and assign privileges to the roles created.

I do this better in web forms by mapping each privilege to URLs in my app. Since MVC is not using physical file structure for navigation, how do I achieve the same with it?

Thanks for your understanding and support.

[no name] 28-Mar-12 8:18am

Map each privilege to a URL? WTF?!? This makes it more difficult to create and maintain, it does nothing for security. Secure the controller actions not the URL. http://blogs.msdn.com/b/rickandy/archive/2011/05/02/securing-your-asp-net-mvc-3-application.aspx

The link was provided as a reference for how to use security in MVC. You can create the roles any place you'd like. Such as using the ASP.NET membership database.

awedaonline 31-Mar-12 17:47pm

Cool. I will check out for custom membership provider. Thanks for your support.

techbrij 15-Jun-12 11:53am

You can use membership provider and use Authorize attribute before action where you can define roles also. http://techbrij.com/978/custom-roleprovider-authorization-asp-net-mvc