Quantcast
Channel: Security
Viewing all articles
Browse latest Browse all 4737

ASP.NET Identity 'Account Security' Design Question

March 18, 2014, 9:28 am
$
0
0

Hi,

I am developing an MVC application and would like some advise on how i could use ASP.NET Identity to implement my sequrity requirements.

In my database i have Users but i also have the concept of 'Accounts'.

A user may have access to multiple accounts and a user may have different roles/access levels in each account.
(i.e. a user could have different access in one account to another account)

I would like to use Claims and the ASP.NET identity manager to manage all the security in the application however i'm struggling to find a way of implementing this structure naturally using the ASP.NET identity System.

One idea i've come up with is to write a Custom ASP.NET Identity implementation and expose my User/Account relationships using the Claims representation.

i.e.

If there are two accounts called ACC0001, and ACC0002 and two users 'bob' and 'alice'
User 'bob' has full access to account ACC0001 but no access to ACC0002
User 'alice' has read only account to account ACC0001 and full access to ACC0002

'bob' could have a claim called http://uri/account-access:ACC0001and it's value is 'Full'
'alice' could have two claims one, http://uri/account-access:ACC0001 with value 'ReadOnly' and a claimhttp://uri/account-access:ACC0002 with value 'Full'.

The custom provider would do the relevant database checks for the user to create the claims.

Then i could simply take the account ID and then query the claim using the account ID to find out what access the user has to the specified account

If i wanted to expose this as 'Roles' style access to an account then  :-

'bob' could have a claim called http://uri/account-roles:ACC0001 with values 'Read,  Write, Admin'
'alice' could have two claims one http://uri/account-roles:ACC0001 with value 'Read' and a claimhttp://uri/account-roles:ACC0002 with a value 'Read, Write, Admin'

Or is it better to just relay on my Entity Model and implement a Helper that checks the database in my website MVC actions and only use ASP.NET Identity for user authentication?

Would like to find out what the general concensus is..

Many Thanks,

Kevin

Search
Viewing all articles
Browse latest Browse all 4737
Search