Data Level Authorization in ASP.Net MVC 3

Question

I have to develop a user management application. I needs to authorize the user in data level Ex:

Taking a banking example:

1. Clients - Ex: Bank1, Bank2, Bank3, Bank4.
2. Branches State - Ex: Stat1, State2, State3, State4
3. Branches District - Ex: District1, District2, District3, District4
4. Facilities - Cheque, Direct Debit, Standing Order

When a user logs in, he will be able to see only some clients, some state branches, some district branches depends up on the branches, facilities etc assigned to him in user management application. These changes for different users.

Please can anyone help me out for this level of authorization any standard tools available or if not what will be the good db model for this ?

Answer 1

You need to implement your own Authorization mechanism, you need to create a control table where you store the user access level, (assuming a lot of things) something like:

UserAuthorization (UserId, EntityId, EntityType)

UserId: Reference to User.

EntityId: Id of the element you want to grant access to.

EntityType: Type of element you want to grant access (Client, State, District, Facility)

+--------+----------+------------+
| UserId | EntityId | EntityType |
+--------+----------+------------+
|      1 |        2 | CLIENT     |
|      1 |        2 | STATE      |
|      1 |        3 | DISTRICT   |
+--------+----------+------------+

You can use and should use an integer to represent EntityType, i wrote it like text just for the example.

Answer 2

You could look at ClaimsPrincipal and using Claims based authorization. In .Net 4.5 WIF is integrated. Can see a summary here http://msdn.microsoft.com/en-us/library/ms729851.aspx

You would probably have to create access control lists around each of the entities in the system. Ultimately you need to have an easy way to uniquely define the entity I thought using a GUID. Then require a claim for that GUID. You could obviously get more complex and require read,write type permissions. You may end up with a lot of claims if you directly grant access per entity.

Ultimately do you want to be defining access rights on individual entities? Some sort of grouping may be better? If you can manage the bank you can manage all its states, if you manage its district you manage all the district branches etc.

I'd try grouping users into groups and then assigning access rights to the groups. When you manage files in NTFS you rarely find yourself granting access to an individual file.

If you grant someone permission for the group of entities do some sort of group check first and if they don't have that claim then do the entity check.

Probably need to do some custom stuff with http://msdn.microsoft.com/en-us/library/system.security.claims.claimsauthorizationmanager.aspx. Pass in the Claim that you want to Edit Bank etc and then it checks whether you have permission on that particular bank. I think you have to do the logic for the ACL in the CheckAccess method.

Also have a look at http://thinktecture.github.com/Thinktecture.IdentityModel.45/

I also found the following post http://leastprivilege.com/2012/06/24/approaches-to-server-side-authorization/ - read Luceros suggestion at the end. Basically as above