1

I am developing a kind of CRM system that needs to have a data-bas*ed security mechanism more then role-based security mechanism.

For example, a certain user in the system can view all clients, update his own clients.

So, a role based security wont help here because all the sales guys has the same role: sales_user_role.

I need to differentiate them by having a field in every client row: sales_owner_id

if(client.salesOwnerId.Equales(httpSession["user_id"]){
   delete...
   update...

}

in the above case the client object is the client entity that has a salesOwnerId.
Since the above is spaghetti code, I would like to do it in a data-driven security frame work.

I am working with c# .NET4, MVC3, WCF, Nhibernate and Spring for Dependency injection.

(I saw rhino security that do that, but it is not documented and has very few learning resources)

Thanks

SexyMF
  • 10,657
  • 33
  • 102
  • 206
  • What you are describing is an implicit role of "Owner" which each user will have in relation to the objects they own in the database... The objects that need to determine authorization based on ownership will need to provide a "Is the interacting user my owner" method of some sort, either in a service or in the BO. – Tetsujin no Oni Jul 17 '12 at 12:39
  • 1
    I can vouch for Rhino Security. Read the unit tests, they are easy to understand. – Henrik Nov 24 '12 at 23:21

1 Answers1

0

You may still be able to achieve what you want with classic role-based authorization, such as a RoleProvider.

For example you could have roles such as:

ViewOwnClients
ViewAllClients
UpdateOwnClients
UpdateAllClients
DeleteOwnClients
DeleteAllClients

You still need code to test the owner id e.g.:

if ((User.IsInRole("UpdateAllClients") ||
    (User.IsInRole("UpdateOwnClients") && client.OwnerId = currentUserId))
{
    ...
}
Joe
  • 122,218
  • 32
  • 205
  • 338