0

Looking for a bit of advice and direction with access levels within Roles.

I have a MVC Project that makes use of AspNetRoles, for example I have the following roles set-up: Admin CustomerIndex CustomerCreate

In my Customer Controller I have:

[Authorize(Roles = "Admin, CustomerIndex")]
public ActionResult Index() ....

[Authorize(Roles = "Admin, CustomerCreate")]
public ActionResult Create() ...

What I want to do is restrict what the User can see and do based on his/her access level within the role.
Let's say I have the following Customers: ABC, DEF, XYZ

I want to grant different users read access to different customers, ie: User1 to have CustomerIndex role but only view data for ABC, DEF and then User2 to have CustomerIndex role but only for customer XYZ and then similar for the CustomerCreate role.

So if User1 runs to the Customer page, he will only be presented with the customer data for ABC, DEF If User2 does the same, he will only see data for customer XYZ

What is the best way to achieve something like this?

Stuart
  • 23
  • 6
  • You have complicated situation here, you cannot achieve this only with role based approach. But you can create claims during the creation of users and then use Claim based permissions with your requirements. – DSR Oct 10 '14 at 10:00

1 Answers1

0

In your case, the customers a user can see is not really related to the roles they have. You need to think about bringing back the filtered list of customers via your apps business logic, rather than trying to do it via roles.

In your example, you'd need some sort of data store with a User column, and a Customer column.

Users Customers
User1 ABC
User1 DEF
User2 XYZ

When a user with a CustomerIndex role requests the Index controller, the Authorize attribute will allow them access, then in the controller itself, you query your data store, and return all Customers for the current User and pass that back to your view in a model. The same goes for the Create controller.

Matt Lassam-Jones
  • 171
  • 3