Permissions Design

Question

I have an application that has content that needs to be setup for permissions (i.e. member/non-member)

I have roles/authentication setup just fine, that is not my issue. My question is basically asking the best way to store permissions for each object. Essentially there is "Guest" and "Member" roles, and simple "Allow" "Deny" permissions for each object.

Any ideas? The program is written in ASP.NET MVC using C#, LINQ, and MS-SQL 2005.

Answer 1

If you want to protect assets (files, database rows, Domain Entities, documents, etc.) instead of application features or user abilities, role-based security doesn't fit very well.

A better model is to use Access Control Lists (ACLs) like you know from NTFS. You almost said it yourself because you need to assign particular permissions on each object for each user or role. That's what an ACL does.

If you need to protect objects that are ultimately rows in SQL Server, you will need to define custom tables for your ACLs, since SQL Server has no support for row-level permissions.

Based on the data in those ACLs, you must implement the necessary security checks in your Data Access Components.

Here are some links to related SO answers:

• Access Control in ASP.NET MVC depending on input parameters / service layer?
• What is the best mechanism to implement granular security (i.e. authorization) in an ASP.NET MVC application?
• How to implement an invitation code to share resource with another user?