I am currently working on a project that is designed based on SQL and VB.NET. The idea as the following: there are different permissions for users. The administraotr grants each user specific permissions. The idea is illustrated as the following:
For example, user A can get the following permissions:
He is able to add new tender, modify existing tender, add new customer.
User B has the following permissions:
He is able to view existing tenders, add new employees, ... and so on.
The idea of how to implement it in SQL and VB.NET is:
Creating a new table called Permission with the following fields:
UserID (foreign key for the user ID), for each permission there will be a single field so there will be 12 field.
Now, in VB.NET there will be 12 buttons (i.e. Add new tender, Delete tender, ....). Each button will enabled and disabled based on the value of the field (if the field = 1, the button will be enabled).
Here is an example:
In this case, for this user the buttons with the red lines will be enabled and the rest will be disabled, based on his permissions.
It is obvious that this way is SILLY and is not professional to be implemented.
I need your recommendation of how to enhance it.
Thanks
Ideally you want to use an external authorization framework e.g. Microsoft's claims-based authorization or better yet, XACML - the eXtensible Access Control Markup Language.
When you use externalized authorization, all you need to write in your code (if at all) is:
"Can I enabled button foo?". That's a question you send off to the external authorization engine. If you use an engine that "runs on XACML", then you get policy-based, attribute-based access control where you could easily define that:
users that are assigned to a customer can add tenders for that customer
Check out open source solutions or vendor solutions such as Axiomatics, the vendor I work for. Also check out available resources on XACML e.g. http://en.wikipedia.org/wiki/XACML or XACML videos on YouTube.
Related
I am fairly new to coding in the .Net environment. I am having trouble finding "real-world" examples on authentication/authorization using Identity. Most examples I come across are primarily textbook examples that use the ASP .Net registration template.
I am trying to find guidance on where to look (yes, I Googled and I get very unrealistic/unusable use cases or "classroom" examples) or how to do this.
I work for a small school and I am trying to build an application (possibly Blazor - just experimenting with various technologies now) that allows both students and employees to login into a portal and view their relevant data. I have an Employee table and a Student table based on POCO classes. When I add identity to the project it creates Users and Roles tables as well.
I would like to have the "Users" table based on the Student and Employee tables - not have a separate users table. I do not want to have a "registration" option either. I would like the option for an Admin (which would fall under an "Employee") to be able to add users, but not use a registration page.
How would I implement Identity and Roles without using all the extras added? I am using .Net 5.0.
Thank you for your time and pelase forgive the English - it's new to me as well.
I understand what you're trying to do. It IS possible to Create a Custom AuthenticationStateProvider
But unless you have a VERY robust database already, I wouldn't do it. Getting the default system set up and migrating users will take at most an hour. Setting up your own custom authorization system is likely to take you MUCH MUCH longer.
Having different users in different tables is not a good design plan. They all have names, phone numbers, e-mails and so on-- put them on one table.
Hi Derrick and welcome to the community! #Bennyboy1973 is correct, in that both your Students and Employees are all "Users", so they should all be stored in the same table. To add to that response a bit, probably the simplest way for you to manage them is by using Roles, so the Students could be in one role and the Employees could be in another. By having a role attached to each, you can then use the roles as a filter in your queries and you could also restrict the access and actions each type will have based on the role they are in.
Regarding having administrators add the users to the database without public access, this can be done as well. Once you get the default identity system up and running, you can scaffold out the whole system so it can be modified, and probably the easiest way to achieve what you are after is to then modify the default registration (signup) page so that it requires the user to be authenticated to reach it, and then implement a confirmation email to activate each new account.
There are a few things with this approach that you need to be aware of as well.
Since the admin will be setting up all the other user accounts, you should modify the email confirmation chain to require a password reset at some point. The administrators can have access to the user's information as needed but shouldn't have the user's passwords.
Identity Server will store passwords in an encrypted format, and you'll need an initial user in your database. What this means is that you will have to "seed" an initial admin user into the database that you can use to sign in and get started with everything else. You'll have to research how to do this, as it isn't as simple as just accessing the database directly and adding the user and roles because of the encryption. The program you build should be designed to do this for you on either the first run or if you are connecting to a new database, using a username and password that you know. It will then store the user properly that you can use to sign in as Admin, then change the admin password. This makes the whole thing more secure.
This all sounds like a headache, but it's worth it to work through and know how it all fits together. The, as mentioned in other answers, you can migrate existing data into the database.
I have developed a pretty standard and common authorization permission system for an internal business web application.
There are some roles with permission sets; system administrator can create new roles and assign permissions to them; every web controller method has an attribute to check for specific permission. So far so good.
But then I have the following conversation with the customer:
Customer: "Please, make it possible to hide specific form fields in specific forms for a specific role".
I: "Ok, so the users of this role shouldn't have permissions to modify these fields, right? I can also add a permission check to the method that saves the data."
Customer: "No, no, it's not a permission issue as such, it's just about convenience - this role doesn't need to work with these fields and we want to make the UI less cluttered. The users of this role shouldn't see these fields in this form only; however, there are other forms where it's totally OK to see these fields. Of course, we might later create new roles that will need to see these fields in this form, but by default the fields should be hidden."
And so the permission system gets cluttered with "pseudo-permissions", such as "See field X in form Y". They exist for UI convenience purposes only and have nothing to do with authorization for performing activities on data.
Is it a good practice to control UI through roles & permissions, even when the specific permission has nothing to do with data processing authorization? Is there a clean solution to avoid cluttering the permission system implementation with such UI-only pseudo-permissions and still provide the customer with granular control to achieve cleaner UI for specific roles?
I've found piranha.core cms this week and it looks great and very extendable.
I need CMS in a site that will need user registration for a fundraiser event for a charity. This would be for donators as well as volunteers raising money.
But I also want some users to be able to create news post, etc.
This project would require volunteers to be able to edit content on a profile page and for dontators to track their donations.
I'd like the accounts of my registrants, volunteers and content creators to be the same accounts.
The Piranha.core example uses 'Piranha Identity With Seed', which in turn uses asp.net identity as I've seen in the UserController.
So here's what I'd like to do :
Register users,
Create a page for a volunteer when a volunteer registers,
Assign rights to the volunteer to be able to edit/publish only their own page.
So I think I could register a user using the Asp.net Identity UserManager, copy a template page using the PageEditService, but the question is: can I limit the rights of a user to just being able to edit the user's profile page? (maybe not even all content on the page)
Cheers,
Jurjen
The manager permissions are function based so that user groups can be assigned the rights to perform different actions on different types of entities. There is no support at the moment to limit access to specific pages to specific users.
My advice is to create the edit view in the front-end application as it is extremely easy to load & update pages with the existing Api, and this will probably give you more freedom in regards to what you want the users to be able to edit on the page.
For connecting the created pages with their users you could either:
Add a StringField to the PageType containing the user id, or
Add you own database table in your own DbContext connecting the user & page.
I would also consider using Posts for your volunteers instead of Pages. This way you could use the built in functionality for creating a Volunteer archive where volunteers could be categorized and tagged for easier searching. It will also make sure the sitemap stays uncluttered and focused.
Best regards
I am developing a POC (SahrePoint 2010) where I can demonstrate that the users can be granted certain permissions on a list for a Date range (for example contribute access for a selected week). I will be breaking permission inheritance and create unique permissions for a list.
I would like the permissions to be revoked automatically after the expiry date. Also, I would like to do this using the Manage Permissions list (_layouts/user.aspx) so that I don't have to maintain a separate list.
I have a couple of questions regarding this:
1. I assume that the custom permissions for any list must be stored n some list. How can get to know in which list the permissions are getting stored?
2. If at all I get to know in which list the permissions are getting stored, will I be able to add columns to that particular list?
I hope that the question is clear.
Permissions are not stored in any list. Rather, every securable object (including sites, lists, folders, and items) has a Role Assignments property that indicates what groups/users currently have access, and what their permissions are (if not inherited).
See the SPRoleAssignment class documentation for more information.
Note that the User Information list is not a "Manage Permissions" list; it stores profile information about users who access the site, but does not store any permission-related information. Further, it's not a typical list at all, in that it does not show up in the SPWeb.Lists collection for a subsite, and its fields are automatically populated by SharePoint's User Profile Service. While you could potentially add more columns to it, you'd be better off using a separate list to store and track your permission information instead of contaminating the site collection user info list.
To have permission changes take place based on an expiry date, you'll need to implement a time-based solution that runs on a regular basis to see if any changes need to be made, such as a custom timer job, a custom site workflow that runs on a schedule, or a Windows scheduled task.
I'm trying to make the "Edit" button on the Project form to only be visible if the user logged into the system is the Project Manager of that project. I've been reading various answers online regarding this, gathering some understanding of Access Rights vs. Record Rules but I haven't been able to get this working. To my understanding, Access Rights over-ride Record Rules. So, if I create a record rule under the group "Project/User" that has read and write access with the domain as the following:
[('user_id','=',user.id)]
This will be over-ridden by the Access Rights for Project/User anyway? So How would I get this to work?
Thanks to anyone who can help.
As far as I know, Record Rules can override Access Rights.
Here is an example where record rules are used to change the base_user edit capabilities depending on the Task state: https://github.com/OCA/project-service/tree/8.0/project_baseuser/security
However, the "edit" button is not dynamically visible depending on the Task Status: it's always visible but the rules may or may not allow to write upon "Save".
Access Control List is checked before Record Rules.
Because Access Control List is a CRUD security on models (create/read/update/delete).
Only if ACL is passed next record level security comes in.
As far as I understood you want to give Project User permission to edit his own projects (he is in group Project User not Project Manager but set as Project Manager for exact Project by Project Manager group user LOL).
I did this by doing the following:
1) Give project users Project Manager role.
2) Restrict them to only modify own projects by creating a Global rule (no group is set) with the following domain on update / delete operations:
['|', ('user_id','=',user.id),('create_uid','=',user.id)]
P,S, Here is screenshot - http://awesomescreenshot.com/0083nqyf76
For the model project.project, provide the write permission only to the group project manager.Go to settings/techical/security. There you can see the access control list. CHeck what all group is provided to the project.project model.for every group other than project manager, remove the write permission