I have an mvc4 application which use sql database as back end. I am using asp.net identity for authentication and authorization. I have a need to move some of the user settings/configuration from database to flat files. The current system stores user configuration in tables which we do not want to share with customers. This information must be maintained in flat files and be written in the directory where the code is executed. I need to come up with a .NET MVC prototype which can store/retrieve user configuration from a flat file.
Basically, I need that instead of using the database for authorization for storing and checking what users have access to what features etc. I can store in a flat file and load that into memory and use that to check for authorization for granting users access to different features.
Also when the admin changes users authorization stuff it should update the file.
Can anyone please suggest me some scenario.
You can look into using files as Resources in your code. Resources can be accessed, read and updated at run time. And these will not be exposed to the users.
Some links which might help.
https://stackoverflow.com/a/1533984/689625
https://stackoverflow.com/a/20908560/689625
https://msdn.microsoft.com/en-us/library/7k989cfy%28v=vs.90%29.aspx
Related
How to permission a document that can be modified by client but not deleted ?
Does RavenDB have notion of document permission for admin & non-admin users like in other Relational Databases ?
I have a set of documents which will be created only from the RavenDB Dashboard. I want to prevent these handful of documents to be deleted by the client.
Although client should be able to "modify" them, by "modify" I mean append only.
I am assuming we are talking about 4.x version of RavenDB.
On short, no, it is not possible with out of the box functionality.
Authentication and authorization in RavenDB is based on certificates, and functionality-wise is different from what you would typically find in major RDBMS databases.
You can assign roles per client certificate, and those roles would have pre-defined set of operations they can access. You can also restrict which databases certain certificate can access.
But you cannot restrict certain client certificates from deleting a document while allowing to do other operations.
Take a look at the documentation article for more information : https://ravendb.net/docs/article-page/4.2/csharp/server/security/authorization/security-clearance-and-permissions
If I needed to implement such functionality, I would probably place such logic in DAL layer of the application itself.
We are developing an asp.net core multi-tenant application in which we have a single installation of the software and, based on the host, it gets the data from different database. THis way each tenant has it own database.
Single application - multiple tenat databases
Since tenants can personalize the fixed texts of the application, we need to store those localizations resources in the tenant database. At the beggining we load those resources with the default values but after that each tenant could change those values.
We need a way to have those resources so when someone types www.tenant-01.com it gets the resources for this tenant. But accessing the database each time we need a resource is not a good technique since the performance would be horrible...
Any ideas on how to address this?
I am trying to develop a modular web aap using asp.net mvc 4. My question is that what is the best place to store the user settings, configuration and user access. Whether it is good to store it in db or good to store it in xml file.
I would prefer to go with XML.
Advantages in XML file :
No need to access in your database server.(Which is contains valuable data)
Anybody can understand and change the settings. (No need to know about SQL)
Platform independent.
Disadvanges in XML file :
Need to backup the file. To overcome this problem, Have to maintain the changes by history (It is a best way to revert it back).
I've already created a Welcome page where a user chooses amongst 3 user types (buttons). Each button takes the user to their own login forms. After they login they are each taken to their own switchboard.
The problem is they can still see the options on the left. I "unchecked" the option in options menu, but they can just check those if they wanted to, to see them.
I want some users to be locked out from accessing those navigation options permanently because there's sensitive information in some of the tables.
Is there any way to do that?
If you want to accomplish your objective using just Access then you'll need to store the tables in an .mdb file and configure it to use user-level security. However, that approach has at least two significant disadvantages:
User-level security can be a nuisance to set up and maintain, and
That security model (encrypted .mdb files and associated .mdw "workgroup" files) is deprecated.
If you're serious about your security requirements then you'd be better off using something like Microsoft SQL Server (perhaps the Express Edition) for your back-end data store.
i'm planning to use a combination of entity framework + plain sql access for a large sized project that i'm about to start. its an ASP.NET web application.
for auditing data, i was thinking of creating a user in sql db for every user in membership that i create so that the auditing can automatically track the asp.net logged in user activities. so basically, if i could impersonate as that username for the connection that is used, then sql server will automatically log.
do you know how to implement this in entity framework, i'm fairly new to ef.
if this is not possible, do you know another solution WITHOUT manually including userid in every sql insert/update/delete.
thanks..
That is pretty bad idea. If you want this kind of auditing don't use membership and instead use Windows accounts directly with Kerberos delegation as common in large ERP or CRM systems = each user will have access to the database with his own domain account but it requires very correctly specifying security for the database and it will most probably lead to design without entity framework because you will not want users to be albe to execute queries directly but only to execute stored procedures under their user context.
If your application should be publicly available then this level of auditing is not for you and you must roll your own solution on the application level (not the database level).