locked
Best Practice for limmit access in many pages RRS feed

  • Question

  • User184298885 posted

    Hi there.

    I am making an ERP system with MVC 5 and still strugling with limiting access to users. This system will have around 100 models and each users will have custom access depends on his position. I am thinking about making it as separate roles each model and action, for example :

    Model Master Customer will have roles :

    1. CustomerCreate (For create customer)
    2. CustomerEdit (for edit customer)
    3. CustomerDelete (for delete customer)
    4. CustomerView (for view customer)
    5. CustomerPrint (for print customer)

    Each model will have that kind of roles and there will be a group for assign it's roles like group Sales, Accounting, Admin, etc for easy assign the roles to the users. When an user assigned to a group, all roles will be copied to the user, and when a group roles edited, all users related to this group will be updated too.

    From this current model, I will have around 500 roles but is this a good practice for this kind of situation? Or there are any better solution for this problem?

    Thank you..

    Thursday, December 6, 2018 8:50 PM

Answers

All replies

  • User-1823088829 posted

    You can use Asp.Net Identity

    https://docs.microsoft.com/en-us/aspnet/identity/index

    Thursday, December 6, 2018 9:12 PM
  • User475983607 posted

    From this current model, I will have around 500 roles but is this a good practice for this kind of situation?

    No

    Or there are any better solution for this problem?

    Look into claim an policy based authorization.

    https://docs.microsoft.com/en-us/aspnet/core/security/authorization/claims?view=aspnetcore-2.2

    https://docs.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-2.2

    Visit the security overview docs from the learn link above to get started.

    https://docs.microsoft.com/en-us/aspnet/core/security/?view=aspnetcore-2.2

    Thursday, December 6, 2018 9:15 PM
  • User184298885 posted

    - double post -

    Thursday, December 6, 2018 9:32 PM
  • User184298885 posted

    You can use Asp.Net Identity

    https://docs.microsoft.com/en-us/aspnet/identity/index

    It is Asp.Net Identity what I described in this post.

    Thursday, December 6, 2018 9:37 PM
  • User1520731567 posted

    Hi junrikson,

    According to your description,I don't think there is any shortcut.

    How many groups, how many roles, how many users,these need you to design.

    Before development, you need to do a demand analysis and make a reasonable database design.

    Best Regards.

    Yuki Tao

    Friday, December 7, 2018 8:52 AM
  • User184298885 posted

    Hi junrikson,

    According to your description,I don't think there is any shortcut.

    How many groups, how many roles, how many users,these need you to design.

    Before development, you need to do a demand analysis and make a reasonable database design.

    Best Regards.

    Yuki Tao

    Hi there, I don't have any problem with database design, model view and controllers for groups, users is already done. And currently I am thinking about best practice to apply roles/authority/page access for all users.

    Friday, December 7, 2018 10:26 AM
  • User475983607 posted

    I don't have any problem with database design, model view and controllers for groups, users is already done. And currently I am thinking about best practice to apply roles/authority/page access for all users.

    500 roles is excessive.  IMHO, you need to rethink the security design.

    Look into claims and policy based authorization as it centralizes security logic.  Plus claims further describe users and roles.  Rather than having many different roles, you can have generic roles then apply claims to further describe the user security access.

    Friday, December 7, 2018 1:12 PM
  • User184298885 posted

    500 roles is excessive.  IMHO, you need to rethink the security design.

    Look into claims and policy based authorization as it centralizes security logic.  Plus claims further describe users and roles.  Rather than having many different roles, you can have generic roles then apply claims to further describe the user security access.

    I will try with claims, and will accept your answer if there are no better opinion. Thank you.

    Friday, December 7, 2018 6:34 PM
  • User323983933 posted

    Typically you'd have a few roles (or groups) and assign them all over the system.

    Like Guest, Customer, User, Admin, SuperUser.

    • a Guest may have access to no more than a home page and a login page.
    • a Customer can view his own orders and payments, but no others.
    • a User can view any customer's records and enter new orders for them.
    • an admin can edit lookup tables, may have limited delete capabilites, and create/edit users.
    • a superuser can do anything.

    If you want to split up Users into Sales, marketing, accounting, janitorial, whatever, you can do that too.

    Users are assigned roles.

    Users can have more than one role. like stockroom AND sales.

    All you need to do now is look up MVC Authentication with Roles and follow a tutorial.  Make sure it's MVC and not ASP.NET because the older system will not work in MVC.

    Saturday, December 8, 2018 12:24 AM
  • User184298885 posted

    some_yahoo

    Typically you'd have a few roles (or groups) and assign them all over the system.

    Like Guest, Customer, User, Admin, SuperUser.

    • a Guest may have access to no more than a home page and a login page.
    • a Customer can view his own orders and payments, but no others.
    • a User can view any customer's records and enter new orders for them.
    • an admin can edit lookup tables, may have limited delete capabilites, and create/edit users.
    • a superuser can do anything.

    If you want to split up Users into Sales, marketing, accounting, janitorial, whatever, you can do that too.

    Users are assigned roles.

    Users can have more than one role. like stockroom AND sales.

    Yes, I know what roles is. But, when we are talking about an ERP system for a company, it will have really customize access for every users for maybe around 4000 their employees. Someone just have access to view in some page. Someone just have access to add items, and some other can have access to edit even delete. Even if they are sales, or an accounting there will be a limitation for some users. Owh wait, even sometime someone from Sales 1 change roles for some menu to Sales 2, we can't hardcoded it like you said. every page and actions must have different roles. That's why it will have around 500 roles in them and I'm asking whether it is best practice or not.

    All you need to do now is look up MVC Authentication with Roles and follow a tutorial.  Make sure it's MVC and not ASP.NET because the older system will not work in MVC.

    Yes, it is MVC 5, just like I stated in question.

    Saturday, December 8, 2018 7:34 AM
  • User184298885 posted

    After looking your answer about this, I can not find this solution in MVC 5

    Tuesday, December 18, 2018 3:14 AM
  • User475983607 posted

    After looking your answer about this, I can not find this solution in MVC 5

    The links explain how to secure controller actions using claims and claim policies.  Sorry this standard practice does not fit your needs.

    Tuesday, December 18, 2018 11:37 AM
  • User-474980206 posted

    yours is a very common scenario.  the most common approach is to have action privileges. each function (and some display) each have their own privilege. 500 is not a large numbers, I have had more than that. Just assign the privileges incrementing numbers. you can use and array of bits, 0/1, Y/N. to represent the user having the privilege.

    public enum Privileges { Priv1, Priv2, ...}
    
    [Access(Privileges.Priv1)]
    public ActionResult Foo(...)
    
    

    the next issue is management. having 100's of users's with 100's of privileges is too complex. You should should allow the definition of custom groups or privileges, and have user belong to multiple groups. a users privileges would be the sum of all the groups. optionally you can add deny groups. this is a pretty simple sql scheme and its easy to resolve the users permissions with one query.

    you can use a simple custom role provider and simple authorization attribute. 

    not counting the UI for maintaining the users, groups and permission. its probably a 3 point story.

     

     

    Tuesday, December 18, 2018 2:18 PM
  • User184298885 posted

    bruce (sqlwork.com)

    yours is a very common scenario.  the most common approach is to have action privileges. each function (and some display) each have their own privilege. 500 is not a large numbers, I have had more than that. Just assign the privileges incrementing numbers. you can use and array of bits, 0/1, Y/N. to represent the user having the privilege.

    public enum Privileges { Priv1, Priv2, ...}
    
    [Access(Privileges.Priv1)]
    public ActionResult Foo(...)
    

    the next issue is management. having 100's of users's with 100's of privileges is too complex. You should should allow the definition of custom groups or privileges, and have user belong to multiple groups. a users privileges would be the sum of all the groups. optionally you can add deny groups. this is a pretty simple sql scheme and its easy to resolve the users permissions with one query.

    you can use a simple custom role provider and simple authorization attribute. 

    not counting the UI for maintaining the users, groups and permission. its probably a 3 point story.

    Hi there,

    I'm doing exactly like you said. Instead using enum, I'm using privilages based on database. My current model now.

    1. Privileges, :


      public class Privileges
      {
      public System.Guid Id { get; set; }
      public int Order { get; set; }
      public string Code { get; set; }

      public virtual ICollection<Group> Groups { get; set; }

      public Privilages()
      {
      this.Authorizations = new HashSet<Group>();
      }
      }
    2. Groups many-to-many to Privileges :
      public System.Guid Id { get; set; }
      public string Code { get; set; }

      public virtual ICollection<Privileges> Privileges { get; set; }

      public Group()
      {
      this.Privileges = new HashSet<Privileges>();
      }

    3. Users many-to-one to Groups :
      public System.Guid Id { get; set; }
      public string Code { get; set; }
      public System.Guid GroupId { get; set; }

      public virtual Group Group { get; set; }

    I can get it's many-to-many relationship working, but I'm still confusing how to work with this Access and privilages, or should I using claim? The UI is quite tricky but I done it after 4 hours struggling. http://prntscr.com/lwrxyb

    Thank you.

    Wednesday, December 19, 2018 2:08 AM
  • User184298885 posted

    Look like Roles is based scenario for this problem, Im ended up still using roles and group roles with this problem according to this blog

    http://johnatten.com/2014/02/13/asp-net-mvc-5-identity-extending-and-modifying-roles/

    Thank you

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, December 19, 2018 10:17 PM