1

From what i have read from this paper I understand that a role based access control system is one where users can be assigned to roles where roles specify permissions to perform operations on objects But in asp.net we do not specify "Operations on objects", what i mean here is that how can we specify "All users in Role R can perform a delete on object O" Where is the Object Part in ASP.Net

Sean Carpenter
  • 7,681
  • 3
  • 37
  • 38
taher chhabrawala
  • 4,110
  • 4
  • 35
  • 51

4 Answers4

4

The security model is asp.net is pretty limited. In essence you only have control at the Role level. Which means that for any operation you have to test to see if the user is any of the roles that you want to allow that operation to be performed.

We took the path of defining our own model that gives much more granularity. Basically we define operations and assign those operations to various roles. This way we can test if they have a "delete account" right versus testing if they are in "Admin", "Account Admin", or any number of other roles. It's very similar to how Active Directory works. Further it allows us to reconfigure roles as needed.

There is a piece called Authorization Manager (AzMan) that ships with windows. It can work with your membership provider to provide operation level control. Some people have had success with it, but others have complained that it's difficult to get working. We used it about 5 years ago on a project and at that time it worked about 95% of the time. The other 5% it had communications issues with our AD controller.

Which leads us to your question: Is the built in ASP.Net membership provider a true role based access control system? No. It allows you to define Roles, not operations.

NotMe
  • 87,343
  • 27
  • 171
  • 245
  • +1 for azman. We're using it for several years and it's very convenient. The only problem we had is that AzMan opened an xml store exclusively. But the latest version supports SQL Server as a storage option which is great. (We couldn't use ADAM for several reasons.) – Dmitry Apr 26 '11 at 15:35
  • Your answer has some good advice, but I disagree when you say that ASP.Net role based security is an RBAC system. It doesn't support defining operations for your app or mapping operations to roles. It only allows you to assign roles and test for role membership. The rest is left up to the developer to create. – Brian Cauthon Apr 26 '11 at 15:48
  • @Brian Cauthon: You are correct. I looked a little closer at what the true definition of RBAC is and updated my answer accordingly. – NotMe Apr 26 '11 at 16:22
  • @taher: I'm not sure why you'd need azman open sourced.. It's been part of windows since at least 2003: http://support.microsoft.com/kb/324470 – NotMe Apr 27 '11 at 13:26
  • @chris..i am building a web app wherein i want to implement role based security...since asp.net's role system is not complete i want to roll out my own RBAC system – taher chhabrawala Apr 27 '11 at 14:59
0

As suggested in previous posting, to achieve more granularity you would need to build up on the existing ASP.net membership and role providers. There are third party controls such as http://www.visualaccesscontrol.com that provide role based Module Access Security and Data Access Security as well. With Visual Access Controls you can add administrative functionalities to your ASP.net web application to dynamically restrict the users to the activities they are allowed to perform and the subset of data they are allowed to see based on their respective roles.

Marc
  • 1
0

Check out rhino security if you need something more fine grained.

maciek
  • 661
  • 4
  • 10
-1

You are implementing the delete operation, so it is up to you to check if the logged in user has permission to delete the object. For example, you might create a role "CanDeleteOs". Then, your code would look like this:

if ( !Roles.IsUserInRole("CanDeleteOs") )
    throw new Exception("User does not have permission to delete O's.");
Katie Kilian
  • 6,815
  • 5
  • 41
  • 64
  • A role is not a permission/operation and should not be used as such. – O.O Dec 04 '11 at 23:18
  • Then what is it? How should a role be used, if not as a permission? And what should be used in place of a permission? – Katie Kilian Dec 05 '11 at 16:06
  • 1
    In this context a Role is similar to a Group (if you think users and groups). A permission is one level of additional detail that is not included with .NET security (authentication & authorization). A true RBAC framework makes a clear distinction between users, roles, and operations/permissions. You can use something like AzMan, visual-guard, asp.net permission manager, or roll your own. – O.O Dec 05 '11 at 19:29
  • Got it. Not sure it was worth a down vote per se, but I appreciate the clarification nonetheless. Thanks for the follow up. – Katie Kilian Dec 05 '11 at 19:55
  • I would remove the down vote now that there is context in these comments, but it won't let me. The main reason I down voted was because your answer was promoting bad practice and could lead the uninitiated astray. No problem. – O.O Dec 05 '11 at 21:02