How to store Role Based Access rights in web application?
- by JonH
Currently working on a web based CRM type system that deals with various Modules such as Companies, Contacts, Projects, Sub Projects, etc. A typical CRM type system (asp.net web form, C#, SQL Server backend). We plan to implement role based security so that basically a user can have one or more roles.
Roles would be broken down by first the module type such as:
-Company
-Contact
And then by the actions for that module for instance each module would end up with a table such as this:
Role1 Example:
Module Create Edit Delete View
Company Yes Owner Only No Yes
Contact Yes Yes Yes Yes
In the above case Role1 has two module types (Company, and Contact). For company, the person assigned to this role can create companies, can view companies, can only edit records he/she created and cannot delete. For this same role for the module contact this user can create contacts, edit contacts, delete contacts, and view contacts (full rights basically).
I am wondering is it best upon coming into the system to session the user's role with something like a:
List<Role> roles;
Where the Role class would have some sort of List<Module> modules; (can contain Company, Contact, etc.).? Something to the effect of:
class Role{
string name;
string desc;
List<Module> modules;
}
And the module action class would have a set of actions (Create, Edit, Delete, etc.) for each module:
class ModuleActions{
List<Action> actions;
}
And the action has a value of whether the user can perform the right:
class Action{
string right;
}
Just a rough idea, I know the action could be an enum and the ModuleAction can probably be eliminated with a List<x, y>. My main question is what would be the best way to store this information in this type of application: Should I store it in the User Session state (I have a session class where I manage things related to the user). I generally load this during the initial loading of the application (global.asax). I can simply tack onto this session.
Or should this be loaded at the page load event of each module (page load of company etc..). I eventually need to be able to hide / unhide various buttons / divs based on the user's role and that is what got me thinking to load this via session.
Any examples or points would be great.
