Click here to Skip to main content
12,301,965 members (56,658 online)
Click here to Skip to main content
Add your own
alternative version

Stats

33.3K views
2.4K downloads
106 bookmarked
Posted

Cool Privilege Control System Part 1 -- asp.net MVC

, 29 Feb 2016 Ms-PL
Rate this:
Please Sign up or sign in to vote.
Standalone Privilege Control, Single Sign-On Solution

Cool Privilege Control System Part 1 -- asp.net MVC

Cool Privilege Control System Part 2 -- asp.net MVC with WCF

Introduction

As we known, Privilege Control is very common mechanism. In real life, people are allocated into different roles. Some of who can maintain sensitive information based on his/her access level, and the other cannot. In computer world, that is the same. Microsoft Window is a famous PC OS and it also has a user management system in it. Administrator can create user account and assign different privileges to different user account. E.g. Ricky’s role is administrator and Jenny’s role is guest, both of who launch the system based on his/her Login Name and Password, Ricky can control everything of the computer and Jenny does not have any permission except view right. That is based on theirs privilege. Therefore, it is plain to see that Privilege Right Control is a basic mechanism on the top of other systems.

Background

As mentioned previous, Privilege Right Control is a basic mechanism. It should be implementing already. Many guys will have questions "Why do you discuss here? Do you waste our times? ". And the answer I want to say is "No". As many year experiences, I have participated in developing many projects and most of those have itself access right control except mini system. Take HR System as an example. HR System has much sensitive information and there are many modules in it. Such as ESS (Employee self-service), Leave module, Payroll module, Attendance module, and so on. All of those modules should have access right control. In the past, we used to create different access right control system for different modules. That means if a user named Jenny, she should have more than five accounts for one system. It is not only hard for Jenny to remember all accounts but also hard for administrator maintenance. Furthermore, most of existing systems are not fulfill real case. E.g. Jenny is a sales manager, she can only access people under her level and she cannot access other colleagues in other team. So today I introduce Cool Privilege Control for who has the same questions as I met. Cool Privilege Control I designed is used to centralize functions/users control and resolve access levels problem. It is something like Single Sign On system. Cool Privilege Control I want to introduce is based on asp.net MVC, but it is not limited on web application only. Since I had split the solution into many tiers. On the whole, there are UI(User Interface MVC), BL(Business Layer) and DAL(Data Access Layer). It is not difficulty to replace UI from MVC to Window Application (WPF). On the other hand, if you are MVC developer, cool privilege control does not only provide you a single sign on solution, but also provide you a MVC extension framework.

Feature

  1. Resolve normal access control issue. (i.e. user and user role, function and function type).
  2. Resolve user with different organization has different access level problem.
  3. Provide powerful audit log, trace log and exception log.
  4. Provide common MVC extension framework which make the development more easily and quickly.
  5. Support multilingual

Look And Feel

First of all, I capture some screens of the application looks like in order to increase study concentration.

Figure 4.1(Login Screen)

Figure 4.2(Function Management)

Figure 4.3(Edit Login User)

Figure 4.4(System Audit Log Management)

It is a pretty cool, right? Thanks Bootstrap! That is a beautiful UI toolkit which helps developer cut down lots of work! From now on, we will go a little deep to analyze all of scenarios about access control in real life.

Scenarios

5.1 Scenario 1

System has many functions; each function has many function types (i.e. insert, update, import, export and so on); one function type can be assigned to many functions, That means Function A has import method and Function B also has import method. So function and function type is many to many relationship. It is simple and I descript the entity relationship for this case as below.

Figure 5.1.1 Function and Function Type relationship

Note: In real case, function structure maybe so complex. I used "000100010001" format to separate those. For example, function path "0001" is HR Module, it has many functions in it. Such as "00010001" is Staff Info Management, "00010002" is Salary Info Management. And then Salary Info Management also has many functions in it. Such as "000100020001" is Salary Info Maintenance and "000100020002" is Salary Review.

Figure 5.1.2 Functions Structure (HR Module)

Based on the format "000100020002", we directly know the top menu which is named as "HR Module" by recursion. And it contains un-limit levels. Each level has 9999 functions. I think 9999 is enough in general case. Certainly, we can extend number length to increase function count for each level, if we use "000010000200002" format instead of "000100020002", then we can store 99999 functions for each level. Below figure show the menu looks like.

Figure 5.1.3 Menu (HR Module)

5.2 Scenario 2

Login user can be assigned to specific functions or specific roles. If a login user is assigned to multi roles, then the user can access all functions which defined in the roles. That means Role A has access right on Function A, Role B has access right on Function B, if both Role A and Role B are assigned to a user named "Ricky", then Ricky can access Function A and Function B. Below figure is user-role entity relationship.

Figure 5.2.1 user-role relationship

5.3 Scenario 3

As mentioned before, user would be assigned to one or more organizations, and he/she can only access the users under himself/herself. To solve these problems, we should create a new entity called "Organization Detail" which helps system store privileges for organization assignment. That maybe not easy to recognize. Take actual case as an example which is easy to be recognized.

  1. User "Angus" bussiness title Project Manager and Sales Assistant Manager.
    He has read-only right on function "Function Management";
    full access right on function "Login User Management" with Project Manager Level;
    read-only right on function "Login User Management" with Sales Assistant Manager Level;
  2. User named "Wells" is a member of project team.
  3. User named "Michael" is a member of sales team

Expect Result:

When Angus login into the system, he can access two functions, one is "Function Management" and the other is "Login User Management". According to the settings, Angus only has search and view right on "Function Management". Meanwhile, On function "Login User Management", Angus can insert/update/delete colleagues under project team but only has search/view right on colleagues under sale team.

According to above case, we should set two organization details settings, the one is "ReadOnly" and the other is "Login User Full Access". Below screens show organization details settings

Figure 5.3.1 Function Detail Setting -- ReadOnly

Description: Organization Details named as "ReadOnly" only has "Search" and "View" on Function Management.

Description: Organization Details named as "ReadOnly" only has "Search" and "View" on Login User Management.

Figure 5.3.2 Function Detail Setting -- Login User Full Privilege

Description: Organization Details named as "Login User Full Privilege" has full access right on Login User Management.

Figure 5.3.3 Login User Settings

Description: Login User named "Angus" is assigned to two organization settings,
Project Team – Login User Full Access;
Sales Team – ReadOnly;

Figure 5.3.4.1 Organization Structure

Figure 5.3.4.2 Organization Structure Settings

Description: Previous organization settings also use "000100010001" format to present the organization structure.

Figure 5.3.5 Login User List (All Users)

Below capture screens are showed when Angus login into the system.

Figure 5.3.6 Function Management Screen

Description: All Edit/Delete buttons in previous screen are dimed. Because login user named "Angus" only has view/search right on this function.

Figure 5.3.7 Login User Management Screen

Description: As above screen described, please pay attention to Angus and Michael, both edit button and delete button are dimed in these two records, because Angus login to the system, he cannot maintain whoever in Sale Team Member and himself, but he can maintain the colleagues under Project Team.

Below figure show the ER diagram of the scenario

Figure 5.3.6 Entity Relationship of Scenario

Settings

For MSSQL/MYSQL database user, I publish two versions to fulfill your case. If you use MSSQL as default, please download "CoolAccessControl.Community.MYSQL.zip", otherwise, please download "CoolAccessControl.Community.MSSQL.zip". And I list my development environment for your reference. If your local development environment is low than me, I suggest you should upgrade so that you can run the program successfully. On the other hand, If your local version is equal or above my development environment, maybe no compatibility issue, but I am not sure.

  1. Microsoft Visual Studio 2013
  2. .NET Framework 4.5.1
  3. MSSQL Server 2012 or MYSQL 5.6.26
  4. MVC 5.2.3
  5. Entity Framwork 6.0

Mandatory Step: After opened solution, please right click solution and select "Enable NuGet Package Restore".

Figure 6.0.1 Enable NuGet Package Restore

6.1 EDIT WEB.CONFIG FILE

6.1.1 For MYSQL user

Figure 6.1.1 web.config(MySql Version)

Please pay attention to the appSettings node, change DBSource/DBName/DBPort/LoginName/LoginPWD value based on mysql server settings.

Property Description
DBSource: IP address of the server host
DBName: Database name
DBPort: Server TCP/IP port
LoginName: DB user name
LoginPWD: DB user password
IsDebug: If you set true, whatever exception will be show on the page, and vice versa.

6.1.2 For MSSQL user

Figure 6.1.2 web.config(MSSql Version)

As the same as mysql user, change DBSource/DBName/LoginName/LoginPWD value based on mssql server settings, except DBPort. In mssql server, the port number can be specified after the server name or server ip address with comma. E.g.

WELLSCHEUNG\MSSQLSERVER2012,49287 49287 is the port.

Property Description
DBSource: IP address of the server host
With Port Format: server name or ip address,port
DBName: Database name
LoginName: DB user name
LoginPWD: DB user password
IsDebug: If you set true, whatever exception will be show on the page, and vice versa.

6.1.3 Enable or Disable DB initializer

That is the feature of entity framework code first design pattern. And it is the most useful I ever heard before. When you executed the project, if database instance did not exist in the server and the flag is enabled, entity framework mechanism would help you to initialize it. For more information please refer to MSDN(https://msdn.microsoft.com/en-us/data/ee712907). If you do not want entity framework to initial database and cover your database, you can set the attribute named "disableDatabaseInitialization" on context element to true.

Figure 6.1.3 disableDatabaseInitialization flag

Alternative, you can initialize DB via sql script or database backup. I prepare sql script for mysql user to execute and database backup for mssql user to restore.

MySql Script ( Change file name extension to ".sql" )

MSSql Database Backup ( Change file name extension to ".bak" )

6.2 Edit Log4Net.config file

System used log4net to help us record trace info and error info. About how to use log4net, I though most of you had more experiences than me, so I do not want to spend many times on repeat. I only specified that all functions in the system enable trace log as default (i.e. Include both input and output information). That is an easy way to trace error even if we cannot run visual studio debug when onsite support.

It is easy to turn off or change another type of info you wanted to capture. There are seven levels type which is pre-set in log4net.

The following levels are defined in order of increasing priority:

  • ALL
  • DEBUG
  • INFO
  • WARN
  • ERROR
  • FATAL
  • OFF

You can replace the value of the attribute named "level" to what you wanted in log4net.config.

Figure 6.2.1 Log4Net.config

SysLog: Log all info of the system.
ErrorLog: Only log exception of the system.

However, previous setting is a global setting. If you want to disable one or any functions to log information automated. You can mark the function you wanted as "[UnTracerAction]" function. After you do like that all info will not be log.

Figure 6.2.2 UnTracerAction Function

If you only want to log the main thread enter the function whether or not, except the detail information input or output. You can mark the function you wanted as "[TracerActionWithDetails(EnableTracer=false)]" function.

Figure 6.2.3 [TracerActionWithDetails(EnableTracer=false)] Function

Below capture screen show the result of previous different settings

Figure 6.2.4 The log of tracer action without details

Figure 6.2.5 The log of tracer action with details

After previously settings. System is ready for your use. Press "F5" in Visual Studio and double check if it has any compile errors or not. If any error came out, you can send the error to me for inspection or search solution in google by yourself.

Next section, I will introduce functions in the system. Include create function type, create function, create login user, create role, create organization, create access level, assign function to specific login user and so on.

How To Use

7.1 System Settings

1. Click sub menu "System Info Management" in main menu "Access Management".

7.1.1

2. Change values according to your requirement.

7.1.2

Key Description
Session Timeout(Seconds) Default value is 10 mins = 600 seconds. Cool Privilege Control maintains session by itself and it is based on asp.net session management mechanism. That means if you change the value to 20 mins or more than 20 mins, any session will only alive in 20 mins without user operation. Because the default value of idle time is 20 mins in asp.net. If you want to set session timeout more than 20 mins, you must set the session timeout of asp.net bigger than session timeout of cool privilege control system. About how to change session timeout in asp.net please refer to https://msdn.microsoft.com/en-us/library/h6bb9cz9(v=vs.100).aspx . I used to extend asp.net session timeout to 60 mins.
7.1.2.1
Page Size Page size of each list page.
Maximum Page Numbers Showing in Page Bar Maximum Page Numbers Showing in Page Bar
7.1.2.2
Date Format Default Format: yyyy-MM-dd. E.g. 2016-01-21
Time Format Default Format: HH-mm-ss. E.g. 22:10:05
Password Policy It contains many rules. I think it is enough strong for you to protect password and I don’t want to spend many times to explain each rule here. I trust all of you have ability to understand the rule.

7.2 Maintain Function Type

Cool Privilege Control allows user create function type by himself or herself. View, Search, Create, Edit and Delete are the most frequency function type. Export, Import, Preview and Process are used in many cases. So I preset function type mentioned before to avoid wasteful duplication of effort.

  1. Create Function Type

    1. Click Create Function Type button in bottom left of the Function Type Management page.

      7.2.1.1
    2. Type Function Type. Such as "Generate".

      7.2.1.2
    3. Click Save button.

  2. Delete Function Type

    Click Delete button of the record you wanted.

  3. Edit Function Type

    1. Click Edit

      7.2.1.3.1
    2. Change Function Type.

    3. Click Save button.

7.3 Maintain Function

As section 5 described, Cool Privilege Control use "000100010001" format to separate functions. In theory, system support unlimited function level and 9999 functions for each function level.

  1. Create Function

    1. Click Create Function button in bottom left of the Function Management page.

      7.3.1.1
    2. Type Function Key and Function Path select Function Type which belongs to this function.

      7.3.1.2
    3. Click Save button.

      7.3.1.3
  2. Delete Function

    Click Delete button of the record you wanted.

  3. Edit Function

    1. Click Edit button of the record you wanted.

    2. Change value and Click Save button.

7.4 Maintain Role

  1. Create Role

    1. Click Create User Role button in bottom left of the Role Management page.

    2. Type Role Name E.g. Admin

    3. Assign Function with Function Type into the new role.

      7.4.1.3
    4. Click Save button.

  2. Delete Role

    Click Delete, button of the record you wanted.

  3. Edit Role

    The steps are as the same as above section.

7.5 Maintain Organization

  1. Create Organization

    1. Click Create Organization button in bottom left of the Organization Management page.

    2. Type Organization Key. E.g. CEO

    3. Type Organization Path. E.g. 0001

      7.4.1.3
  2. Delete Organization(Omitted)

  3. Edit Organization(Omitted)

7.6 Maintain Organization Details

  1. Create Organization Details

    1. Click Create Organization Details button in bottom left of the Organization Details Management page.

    2. Type Organization Details Key.

    3. Select Organization Details Type.

      There are two types of organization details. One type is "Specific Functions", the other is "As Role Settings". You can assign specific function into this new organization details, or set as role settings.

      Figure 7.6.1 Specific Function
      Figure 7.6.2 As Role Settings
    4. Click Save button.

  2. Delete Organization Details (Omitted)

  3. Edit Organization Details (Omitted)

7.7 Maintain Login User

  1. Create Login User

    1. Click Create Login User button in bottom left of the Login User Management page.

      7.7.1.1
    2. Type mandatory fields. Such as Login Name / Password / Confirm Password / Status.

    3. Select Login User Type.

      1. Specific Functions: Assign specific function to user.

      2. As Role Settings: Assign re-set role to user.

      3. As Organization Settings: Assign organization unit with correlative organization details to user.

        7.7.1.3
      4. Click Save button.

  2. Delete Login User (Omitted)

  3. Edit Login User (Omitted)

7.8 System Audit Log Management

In this function, you can retrieve all events recorded by system. You also can filter what you want via selection criteria. More, you can export the log as excel file for inspection.

7.8

7.9 Authorized History Management

7.9

7.10 Multilingual

As first section mentioned, Cool Privilege Control is based on multi language design pattern. Currently, there are three languages in the system. English, Simplified Chinese and Traditional Chinese. We can extend language package via add resource file. I hope you can help me to add more language package into the system. You can send your resource file to my email(wells-z@hotmail.com or wellscheung@gmail.com), I will consolidate all resource files and inject into the system. Following section will talk about how to create localized version of resource files.

7.10.1 Create localized version of resource files

  1. Open project named "CoolAccessControlLangPack".

    7.10.1.1

    We need to create three categories of resource files. There are FunctionRes.resx, lblCommon.resx and MsgRes.resx.

  2. In Solution Explorer right-click the project, point to Add, and then click New Item.

  3. In the Add New Item dialog box, select Resources File and name the file FunctionRes.de-de.resx. The file name indicates the language, German, and the country, Germany.

    File name format:

    <base file name>.<language-country>.resx

    If you do not know country code and language code. Please visit blew link

    http://www.csharp-examples.net/culture-names/

    We have to create three files for each language and each country.

    E.g.
    FunctionRes.de-de.resx
    lblCommon.de-de.resx
    MsgRes.de-de.resx

    7.10.1.3
  4. Open Resource Designer change Access Modifier to "No code generation" and copy all key-value pairs from base resource file to the new resource file.

    7.10.1.4
  5. Translate all sentences in Value column to your local language.

  6. Save file and repeat the same action to create remain two files.

    i.e. lblCommon.xx-xx.resx

          MsgRes.xx-xx.resx

    7.10.1.6
  7. Send the above three files to me (wells-z@hotmail.com or wellscheung@gmail.com). And I will consolidate other guys’ resource and publish a new version with your language pack to the site. Thanks.

Testing Site

For guys who want to test the system immediately or trace bug. I create a testing site. Please visit http://www.wellscom.net. In order to protect our testing site, I have to lock the admin account and functions which function path starts with "0004". And the site data will restore in midnight of American East.

I set up many account for you to understand

Admin -- Administrator

Login Name: admin
Password:123456

Angus – Project Manager

Login Name: angus
Password:123456

Wells – Project team developer

Login Name: wells
Password:123456

Alice – Project team officer

Login Name: alice
Password:123456

Tim – Sales Manager

Login Name: tim
Password:123456

Michael – Sales

Login Name: michael
Password:123456

Test-driven development

Cool Privilege Control System is using the test-driven development (TDD) approach. For many companys, TDD is a mandatory approach in repetition development cycle. Cool Privilege Control System contains 40 test cases in all Controllers, you can easily test all functions by clicking "Run All" in Test Explorer. Certainly, you can add new test case or add new conditions into the orignial test case based on your requriements. Cool Privilege Control System uses Xunit and Mock. Xunit is a test framework inject into Visual Studio, as the same as MSTest and Nunit. For more infos, you can visit the official site.

Figure 6.0.1 Test Explorer

Finally

Cool Privilege Control based on many interesting design pattern. Such as MVC, MEF, Entity Framework, jQuery and Bootstrap(UI). I am sorry I cannot introduce all of these design patterns to you in short time. If you have any questions about Cool Privilege Control. Feel free and contact me. Thanks for your reading.

History

2016-01-22 Initial publication

2016-02-01 Change project from "Cool Access Control" to "Cool Privilege Control",Fixed bugs as well as display issue.

2016-02-02 Fixed download link's destination.

2016-02-08 WCF Service preparation

2016-03-01 Merge with WCF Service Version and add Testing project.

License

This article, along with any associated source code and files, is licensed under The Microsoft Public License (Ms-PL)

Share

About the Author

wells cheung
Hong Kong Hong Kong
ASP.NET Developer 3.5(Microsoft® Certified Professional Developer)
.NET Framework 3.5, ASP.NET Applications(Microsoft® Certified Technology Specialist)

You may also be interested in...

Comments and Discussions

 
GeneralMy vote of 5 Pin
Member 1060286011-May-16 18:07
memberMember 1060286011-May-16 18:07 
QuestionCan't find full source code of the application Pin
ArthiRavinder1-Apr-16 2:52
professionalArthiRavinder1-Apr-16 2:52 
Questionthe method GetLoginUserAccRight Pin
victorsanchez157-Mar-16 10:12
membervictorsanchez157-Mar-16 10:12 
AnswerRe: the method GetLoginUserAccRight Pin
wells cheung8-Mar-16 6:42
memberwells cheung8-Mar-16 6:42 
QuestionMessage Removed Pin
victorsanchez157-Mar-16 3:47
membervictorsanchez157-Mar-16 3:47 
QuestionThe Cool Privilege Control System designed by web form Pin
abd4web1-Mar-16 7:47
memberabd4web1-Mar-16 7:47 
AnswerRe: The Cool Privilege Control System designed by web form Pin
wells cheung1-Mar-16 12:04
memberwells cheung1-Mar-16 12:04 
GeneralRe: The Cool Privilege Control System designed by web form Pin
abd4web2-Mar-16 0:19
memberabd4web2-Mar-16 0:19 
Questioncoolprivilegecontroldb.zip is damage or corrupt Pin
victorsanchez151-Mar-16 3:25
membervictorsanchez151-Mar-16 3:25 
AnswerRe: coolprivilegecontroldb.zip is damage or corrupt Pin
wells cheung1-Mar-16 3:42
memberwells cheung1-Mar-16 3:42 
GeneralRe: coolprivilegecontroldb.zip is damage or corrupt Pin
victorsanchez151-Mar-16 3:51
membervictorsanchez151-Mar-16 3:51 
BugError When Running Application Pin
tiggerc15-Feb-16 22:00
membertiggerc15-Feb-16 22:00 
GeneralRe: Error When Running Application Pin
wells cheung16-Feb-16 4:48
memberwells cheung16-Feb-16 4:48 
GeneralRe: Error When Running Application Pin
tiggerc16-Feb-16 20:55
membertiggerc16-Feb-16 20:55 
GeneralRe: Error When Running Application Pin
wells cheung17-Feb-16 6:32
memberwells cheung17-Feb-16 6:32 
GeneralRe: Error When Running Application Pin
tiggerc17-Feb-16 7:40
membertiggerc17-Feb-16 7:40 
GeneralRe: Error When Running Application Pin
wells cheung17-Feb-16 11:34
memberwells cheung17-Feb-16 11:34 
GeneralRe: Error When Running Application Pin
DanielBrownAU29-Feb-16 12:55
professionalDanielBrownAU29-Feb-16 12:55 
AnswerRe: Error When Running Application Pin
wells cheung1-Mar-16 4:16
memberwells cheung1-Mar-16 4:16 
PraiseMy vote of 5! Pin
jediYL12-Feb-16 17:09
professionaljediYL12-Feb-16 17:09 
QuestionSpaces in function names Pin
tiggerc11-Feb-16 23:16
membertiggerc11-Feb-16 23:16 
AnswerRe: Spaces in function names Pin
tiggerc12-Feb-16 0:14
membertiggerc12-Feb-16 0:14 
QuestionDB Link is Missing Pin
shivakolasani8-Feb-16 2:09
membershivakolasani8-Feb-16 2:09 
QuestionUI_Infrastructure.ComController Pin
Rameshkumark3-Feb-16 13:09
memberRameshkumark3-Feb-16 13:09 
AnswerRe: UI_Infrastructure.ComController Pin
wells cheung3-Feb-16 15:40
memberwells cheung3-Feb-16 15:40 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web02 | 2.8.160530.1 | Last Updated 29 Feb 2016
Article Copyright 2016 by wells cheung
Everything else Copyright © CodeProject, 1999-2016
Layout: fixed | fluid