0

How should ASP.NET MVC routes be structured to allow granular role-based access control to business branches?

Every business entity is related to a branch, either by itself or via its parent entities. Is there an elegant way to authorize actions based on user-roles for any number of branches?

1. {branch} in route?

{branch}/{controller}/{action}/{id}

Action:

[Authorize(Roles="Technician")]
public ActionResult BusinessWidgetAction(BusinessObject obj)
{
    // Authorize will test if User has Technician role in branch context
    // ...
}

2. Retrieve branch from business entity?

{controller}/{action}/{id}

Action:

public ActionResult BusinessWidgetAction(BusinessObject obj)
{
    if (!User.HasAccessTo("WidgetAction", obj.Branch))
        throw new HttpException(403, "No soup for you!"); // or redirect

    // ...
}

3. Or is there a better way?

Petrus Theron
  • 27,855
  • 36
  • 153
  • 287
  • Looking at your other question as well - my feeling is that you need to re-consider the way your Access/Security works. I understand the need the need for granular control and it would seem that there are many restrictions that you need - this for me is the indication for a re-think. – Ahmad Apr 29 '10 at 06:36
  • @Ahmad: Should I be looking at ACL? – Petrus Theron Apr 29 '10 at 11:30
  • Not too sure about ACL.. however I using a `custom membership provider` will help. You want to `authorize actions based on user-roles` simple enough for the default membership provider however the additional restriction is `for any number of branches` - so is this actually a Role->Branches (eg User is in Admin role for some branches) relation or a User->Branches (cant think of example) relation. I could possibly be missing something!! – Ahmad Apr 29 '10 at 12:52
  • I have a tables for `Branches` (eg. Cape Town), `Roles` (eg. Admin, Techie) and `Users` (John, Jill, Peter). with a `UserRoles` table that keeps track of the **user**, **branch** and **role**, eg. (Peter, Cape Town, Techie). I like Runeborg's answer here: http://stackoverflow.com/questions/1335315/access-control-in-asp-net-mvc-depending-on-input-parameters-service-layer/1336404#1336404 – Petrus Theron Apr 29 '10 at 13:06
  • I am already using a custom membership and role provider. – Petrus Theron Apr 29 '10 at 13:17

1 Answers1

0

I ended up using the same codebase on separate applications and databases for each business branch. This means I have to update each individually, but allows forking of features.

I rolled my own [BranchAuthorize(Roles = "Editor, Stock Keeper")] attribute which checks the authenticated user's roles against the controller action's required roles and displays a message detailing the required roles if none are assigned.

Unified branch access control would require a separate authorization service, but would allow for central rights administration.

Petrus Theron
  • 27,855
  • 36
  • 153
  • 287