How to store Role Based Access rights in web application?

Posted by JonH on Programmers See other posts from Programmers or by JonH
Published on 2014-06-13T02:22:06Z Indexed on 2014/06/13 3:39 UTC
Read the original article Hit count: 391

Filed under:
|
|

Currently working on a web based CRM type system that deals with various Modules such as Companies, Contacts, Projects, Sub Projects, etc. A typical CRM type system (asp.net web form, C#, SQL Server backend). We plan to implement role based security so that basically a user can have one or more roles.

Roles would be broken down by first the module type such as:

-Company

-Contact

And then by the actions for that module for instance each module would end up with a table such as this:

Role1 Example:

    Module   Create  Edit        Delete   View
    Company   Yes    Owner Only    No     Yes
    Contact   Yes    Yes           Yes    Yes

In the above case Role1 has two module types (Company, and Contact). For company, the person assigned to this role can create companies, can view companies, can only edit records he/she created and cannot delete. For this same role for the module contact this user can create contacts, edit contacts, delete contacts, and view contacts (full rights basically).

I am wondering is it best upon coming into the system to session the user's role with something like a:

List<Role> roles;

Where the Role class would have some sort of List<Module> modules; (can contain Company, Contact, etc.).? Something to the effect of:

class Role{
string name;
string desc;
List<Module> modules;
}

And the module action class would have a set of actions (Create, Edit, Delete, etc.) for each module:

class ModuleActions{
List<Action> actions;
}

And the action has a value of whether the user can perform the right:

class Action{
string right;
}

Just a rough idea, I know the action could be an enum and the ModuleAction can probably be eliminated with a List<x, y>. My main question is what would be the best way to store this information in this type of application: Should I store it in the User Session state (I have a session class where I manage things related to the user). I generally load this during the initial loading of the application (global.asax). I can simply tack onto this session.

Or should this be loaded at the page load event of each module (page load of company etc..). I eventually need to be able to hide / unhide various buttons / divs based on the user's role and that is what got me thinking to load this via session.

Any examples or points would be great.

© Programmers or respective owner

Related posts about web-development

Related posts about security