0

I want to create a website with various users. The users can have different roles, admin and user, which is a very well documented situation. But I would like to also group the users on their location, so at each location I can have both admins and users. - A multi dimensional role system?

The reason is, that users in Germany should have access to a certain set of documents, while the Italian users shouldn't.

Where should I look for documentation on this specific topic? I need some way to limit my search, maybe some keywords.

niton
  • 8,771
  • 21
  • 32
  • 52
Chau
  • 5,540
  • 9
  • 65
  • 95

3 Answers3

2

A different approach would be to add another set of roles, corresponding with the different locations available, for example Germany and Italy. You then make all German users members of the Germany role, and the German admins members of both Germany and Admin. When checking permissions, you then check both for Admin and for the current locale.

Remember, one user can have many roles.

Tomas Aschan
  • 58,548
  • 56
  • 243
  • 402
  • I have thought of that, but how do I distinguish between location and user-type roles? The approach I would used in the late 90’s, was to have a database with a user table, a role table, a location table and Ids to link them together. Then I could distinguish between the different types, do lookups based on the different types and so on. But I think that asp.net might have done this easier, and that is what I’m looking for. Does that make sense? – Chau Sep 02 '09 at 13:18
  • 1
    I see your point, and no - this solution does not provide a simple answer to that question. If it's important for you to be able to list locations specifically, you might want to implement your own ´MembershipProvider´ that inherits from the standard one. On the other hand, if you're only going to have Admins and Users (or maybe one or two more roles) and the rest will be locations, you can list all but the few roles you have. Ugly, but working... – Tomas Aschan Sep 03 '09 at 12:49
  • A very similar alternative is to make two roles "Germany" and "Germany.Admin". You could then do `User.IsInRole("Germany") && User.IsInRole("Germany.Admin")`. You'd have to create roles for each country, but if you follow a specific format you can always know where a user is and what permissions they have. – Greg Sep 03 '09 at 15:54
  • That is my approach so far, but I can imagine the huge amount of roles necessary to represent 100 countries multiplied by the number of user types (admin, user...) multiplied by the number of different capabilities each user needs to have (adding, editing, printing, deleting...). Is this the normal approach or is there a better "best practice"? – Chau Sep 04 '09 at 13:27
  • Well, that sounds like kind of a pain to manage, honestly. I'm not sure what to tell you. – Greg Sep 04 '09 at 13:29
  • It's unnecessary to multiply - you don't have to increase the total number of roles by anything compared to having a role/location system. If you have hundreds of roles for countries, that number would not change if you could refactor them to a location specific role type. And each role for user privileges would be needed anyway. So instead of `User.IsInRole("Germany") && User.IsInRole("Germany.Admin")` you do `User.IsInRole("Germany") && User.IsInRole("Admin")`, using the same `Admin` role for every location, but in combination with location roles to keep admins from the wrong country out. – Tomas Aschan Sep 04 '09 at 13:33
  • @Tomas: If a user is a member of Germany and Italy, but has admin rights for Germany, but only user in Italy, how should I manage that? – Chau Sep 07 '09 at 08:40
  • True, that would not be coveredy by my setup. I had no understanding that support for that scenario was a requirement. – Tomas Aschan Sep 07 '09 at 14:55
1

First of all, please see the very excellent tutorial series on 4GuysFromRolla: https://web.archive.org/web/20210513220018/http://aspnet.4guysfromrolla.com/articles/120705-1.aspx

Secondly, the built in Role Provider is extremely rudimentary. You associate a user with a string (role) and that's pretty much it. There's no heirarchy or additional properties that you associate with the role, unless you pack in into the string (role name).

Greg
  • 16,540
  • 9
  • 51
  • 97
  • #1: Yeah, I have looked at that, but it still confuses me :) #2: Exactly what I was afraid of. The things you say it lacks, are probably what I'm looking for :S – Chau Sep 03 '09 at 06:30
0

You might want to look at custom profile properties. MSDN

Paddy
  • 33,309
  • 15
  • 79
  • 114