apt.net membership provider not using fixed configuration

Question

In the membership provider there are mechanics to provide athentication and authorization at the page level using the web.config files and protection for methods using decorators.

I am pretty new to using this asp.net http://msdn.microsoft.com/en-us/library/yh26yfzy(v=VS.90).aspx

My question is, is there a method to NOT store these in .config files and code but to have them in the sql database so that administration can be managed to allow multiple "roles" and security in some dynamic fashion?

Examples of what I mean:

web.config file:

<?xml version="1.0"?>
<!-- 
    Note: As an alternative to hand editing this file you can use the 
    web admin tool to configure settings for your application. Use
    the Website->Asp.Net Configuration option in Visual Studio.
    A full list of settings and comments can be found in 
    machine.config.comments usually located in 
    \Windows\Microsoft.Net\Framework\v2.x\Config 
-->
<configuration>
    <appSettings/>
    <connectionStrings/>
     <system.web>
      <authorization>
        <allow roles="Administrators" />
        <deny users="*"/>
      </authorization>
    </system.web>
</configuration>

Example snip of a method decorated:

[PrincipalPermission(SecurityAction.Demand, Role = "Administrators")]
[PrincipalPermission(SecurityAction.Demand, Role = "Supervisors")]
protected void UserGrid_RowUpdating(object sender, GridViewUpdateEventArgs e)
{

In particular, I would be interested in examples where a database Party data model pattern/practice could be used to facilitate both the authorization but also the authentication of a particular user and not have the roles and such defined in the configuration or code. Am I missing something that I should know/be aware of here?

Answer 1

One method would be to create an intermediate table Group, Where Users are assigned to Groups and Groups are assigned to Roles.

So your multiple roles requirement will be translated to multiple groups.

[PrincipalPermission(SecurityAction.Demand, Role = "SingleRole")]
protected void UserGrid_RowUpdating(object sender, GridViewUpdateEventArgs e)
{

You will have to write a custom RoleProvider to implement this.

Answer 2

The examples you posted are of authorization data. Both define level of access to an asp.net resource for certain role(s). So what you are really asking is, is there a way to configure authorization in ASP.NET in a way that is SQL-based so you can change what Roles have access to things from SQL, without modifying source or configuration directly.

I don't know any way of doing this directly, but I could suggest plugging in your own role/group structure in SQL to the builtin Role structure, so that the ASP.NET role defines the resource and level of access, and the SQL group/role can be changed dynamically as you describe and follow your Party data model.