sql - ASP.net Limit user functions based on custom table roles and permissions, not ASP Memberships -


i have asp.net website, ms sql server on backend.

for simplicity, describe problem 3 4 tables though in reality more that.

tables:

tblsystems
• systemid (pk)
• systemdescription
• other columns

tblsystems_projects (many projects can associated each system)
• various fields users can see/modify/delete, based on permissions.

users (as generated asp.net, user/membership/roles etc...)
• userid
• other columns

tblsystems_permissions_link (this links 2 tables)
• systemid
• userid
• allowedit
• allowview • allowdelete
• allowinsert

i set stored procedure each of insert/update/delete functions in database tblsystems_projects.

when user goes change/add/delete record in tblsystems_projects, send parameter of @userid (from logged in user) sp.

for update check see in tblsystems_permissions_link have allowedit set true, given system in tblsystems. way tables linked, if don't have edit permissions, there won't row updated (becuase clause returns 0 rows), in execution of sp. fine.

same goes delete.

but insert, there no clauses available inserting records tblsystems_projects.

  1. how can prevent userid not have insert priveledges particular system inserting tblsystems_projects table?
  2. when logged in userid tries click on insert, can redirect them "you not have epermission" page?
  3. can hide insert command based on logged in userid? when that? on page load? suggestions on methodology that? simple sp returns scalar of insert value?

i looked @ roles/memberships etc... doesn't quite work, many different people have different permissions based on system. in 1 system, 1 person admin, , ini system, viewer only.

what trying accomplish have users have access records, granting them permission allowed do. permissions vary based on systemid.

there lot of way it. here approach role based authorization -

i'll restrict authorization based on user's roles. example, if system in addrole , user in addrole, user can create new record.

page's authorization logic should not in store procedure alone. instead, should started in presentation layer (such controller).

if need addition logic checking, can place business logic layer.

enter image description here

tblsystems_permissions_link (this links 2 tables) • systemid • userid • allowedit • allowview  • allowdelete • allowinsert 

you should not create tblsystems_permissions_link table individual column. it not database design, unless can 100% ensure there won't new authorization type in future.


Comments

Popular posts from this blog

Android layout hidden on keyboard show -

google app engine - 403 Forbidden POST - Flask WTForms -

c - Why would PK11_GenerateRandom() return an error -8023? -