Being fairly new to the MVC Framework, I am trying to establish a custom Membership provider which can support the concept of Groups or departments.
I need to assign each user to belong to one (and only one) of several groups - each group (and its members) can only view records which belong to it - identified by the GroupId.
I need to somehow store this groupid within the users profile so that when they are logged in and call (for example) the Index method on the controller, the groupid is passed which will then filter the records which the user can see.
I am sure it is a straightforward approach, but I seem to have a mental block with it.
Any insight will be helpful ( and probably embarassingly simple!)
Roger
I wonder if you could use "roles" instead of "groups". Permissions can be handled easily with roles. Usually, a role is something like admin, manager, superuser, user, guest. But couldn't you use roles for your purposes?
Here's an explanation of using roles in the Membership provider: How To: Use Role Manager in ASP.NET 2.0. You can find lots more by searching for "roles" instead of "groups".
And in case you don't have the Membership source code as a reference, you can download it from this page Microsoft ASP.NET 2.0 Providers: Introduction to see how they code for roles in the basic version.
Related
I am new to MVC ASP.Net. I need to create two admin roles in my MVC 5 EF 6 project. First role is Admin Role, which can able to access whole records. and another role is only to access the specific department records which the logged-in user belongs to. Please suggest the best way to accomplish this?
In your database create a user table (i.e. named Users). Then insert staff details such as StaffNumber, WindowsLogon (if this is applicable), ForeName, Surname and AccessType (check the diagram below). Under AccessType declare your roles (i.e. AdminRole and AdminRole2). This allows your application to detect who the user is and what Admin Role they are.
StaffNumber WindowsLogon Forename Surename AccessType
12345 kesi_k kesi kesi AdminRole
In your controller is where you need to write your code for this all to take effect.
An alternative, depending on how many users you have, would be to get your system administrator to create ative directory groups, in your case you would need two. Then place users into one of the two groups. In your controller you would then make use of User.IsInRole in order to determine which user should see what you want. Hopefully the below links will be of some use to you.
SO
Custom Role Providers
Working with Roles in ASP.NET Identity for MVC
Membership and Authorization
Perhaps I've misunderstood the concept of Roles in ASP.NET Identity and the database model, but I'm struggling to wrap my head around how to implement the following scenario: With ASP.NET Identity, it seems a User has permissions globally based on a Role, as opposed to permissions on a more granular level. I'm trying to implement a DB Schema in EF6 with Code-First where a User can be a member of several Groups. Instead of having a global Role however, I want the User to have one role in one Group, and a different Role in another.
For example, a User can create a Group, and therefore be the Group Admin, but could also be a Teacher in the Group and therefore be able to contribute Content. The same User could also be a Student in a different Group, and have different permissions in that Group as a result. Users can perform multiple Roles in a given Group, and their permissions should be based on their Role(s) within that Group.
From what I can see this isn't the intended structure for ASP.NET Identity, as I can't see how to limit the scope of a specific Role to a Group. Also, ideally I'd like to be able to assign a User to a Group, and then assign a Group of Users to another group, so for example I have a Group of Users and I assign that Group to a specific Role within another Group.
What I have in mind is a Membership table that has UserId, GroupId and RoleId to deal with mapping the Roles to specific Groups, but how would I extend that to have Roles inherited from Groups, and would I be able to leverage ASP.NET Identity to help me manage these Roles or do I have to cook my own solution up from scratch?
Take a look at this if you haven't already found it and you're working with MVC.
http://typecastexception.com/post/2014/08/10/ASPNET-Identity-20-Implementing-Group-Based-Permissions-Management.aspx
I've been working on the same same issue as you recently. This covers a lot of the requirements but there is a gap - ASP.NET Identity doesn't differentiate between authorization and authentication. In all cases, a user that does not have the required permission gets sent to the login screen. That's fine if they're not logged in, but not if they are logged in and trying to access something that they have no permission for. That is probably address here, but I haven't had time to test it yet.
How to make Authorize attribute return custom 403 error page instead of redirecting to the Logon page
Let's say I have a ASP.NET MVC 4 application. I need to provide different privileges on different pages for same users. For example, The same user could be an administrator on one page and a guest on another. MVC by default provides system wide user privileges.
I dug up some information that I should use custom membership providers to achieve my goal, but am not yet sure about this.
Can someone suggest a solution?
The roles should behave the same on the same type of pages. Let's say that a topic's content, on a forum, could be edited only by the person who created it or by a moderator. Yet the user will not be able to edit someone else's topic and the moderator will not be able to edit a topic that is not a part of his topic subject group. The role system in my application should behave similarly.
You don't necessarily have to create a custom membership provider, but you are going to have to think about permissions differently.
To start, replace the word "Role" with "Operation" in your head.
You need to create atomic, fine grained permissions in your application such as:
UserPropertiesView
UserPropertiesModify
CreateUser
DeleteUser
RolesView
RolesModify
CreateRole
DeleteRole
It might be difficult at first, but this gives you great control and flexibility over assigning operations to individual users. Since different pages will have different operations, you will be able to customize their access.
Unfortunately, the out of the box ASP.Net membership and role providers all work off the concept of a course grained Role. So long as you know they are Operations, and not roles, you will be good.
Abstractions are your friend here:
public static class Permissions
{
public static bool Operation(string op)
{
//this class can be a lot better
// it can be testable, and check
// error conditions, but this is
// only an example :)
return HttpContext.Current.User.IsInRole(op);
}
}
Somewhere you will want to group all these operations up into Roles, but that will require some custom programming on your part.
Custom Providers really aren't that scary, and you can extend the built in ones easily.
Custom Role Provider
Custom Membership Provider
I'm working on a multitenant project management application in ruby on rails and am a bit bogged down with implementing access for users who might not belong to a specific tenant.
For example we have the users Bob and Martha and they belong to a tenant A - alternatively there are two other users namely Jim and Jill who belong to Tenant B. Now we have a client called Mark who is a client to both tenants. Both tenants have projects and I need to build in an accessible form for the client so the client can sign in and view his projects. The thing is that I don't want and obviously no client would want a seperate login for each tenant here. I'm interested in coding the tenant management by myself here however I'm a bit bogged down on how to implement this.
I'm implementing row based tenancy i.e every model would have a reference to the tenant model here and signed in users can edit and add whatever belongs to their tenant. However with respect to a client or a possible case of a consultant user who might require access to more than one tenant - how do I set up the structure here.
Ideally a client would want to be able to sign in and view a list of all projects differed by tenant/company. How can I set up this structure? Also I want to keep this open ended such that it is possible that a user from TenantB might also be a client to TenantA.
The thing is that I don't want and obviously no client would want a seperate login for each tenant here.
They actually do want this, mainly for legal, auditing or security reasons.
Multi-tenancy exactly means the separation of data. So during login or right after that you choose a tenant. After that you only see data exactly of this tenant. There is no break-out later: It's possible to switch to another tenant, but not to merge data of different tenants.
If this is not what you want, consider to redesign your data model: There could be assignments between projects and persons. Customers can have their "own" projects by having a foreign key in projects linking back to the customer. This data model approach differs from using a multi-tenancy approach which is actually a technical means to separate data on row or instance level.
I have a super simple ASP.NET MVC application that uses RpxNow (OpenID) to allow users to login. I now want to let users edit their own account and provide administrator access to edit anyone's account.
I have two separate "Edit Account" views:
~/account/edit/
~/account/edit/1
The first loads the account details based on the logged in user. The second loads the account details using the supplied AccountId. The first would be for standard users, and the second for an administrator.
Firstly I need to define the roles (User, Admin) and then I need to assign a user account (or multiple) to that role.
Then I need to check the role in the controller. I like this concept:
http://schotime.net/blog/index.php/2009/02/17/custom-authorization-with-aspnet-mvc/
So, down to the questions:
Is there a simple way to define a list of roles in the web.config?
Is there a simple way to define which users are in which roles in the web.config?
Is there a way to do this WITHOUT using Membership / Role providers?
Am I approaching this from the wrong perspective? Should I be partioning the application into two branches and securing them based on folder authorisation?
I'm not a friend of storing authorization data in web.config. I prefer storing it in database or other xml files.
Have a look at Xml Membership / Role Provider. This uses Membership / Role for reading userdata but it shows a way storing and reading user authorization data from xml files.
Braching the application woulded move the issue and not solve.
Remember that the entire permissions plumbing still really revolves around IPrincipals, the Role/Membership providers are just window dressing to allow most applications to not have to write that plumbing code. In this case, you could easily add a database-backed (or just static if the list is short enough) list of roles and a list of users in roles and query that. Wrap it up behind a custom IPrincipal and stuff that puppy in there at the appropriate place and you are golden.