Roles for user

Topics: CAB & Smart Client Software Factory
May 14, 2007 at 1:30 PM
Edited May 14, 2007 at 1:36 PM
Hi everybody.

Our app's requeriments have changed, oh no! And i'm looking for the best practise to implement them.

Well, now our client wants that user roles are based in the module client's working. For example, our application loads two modules at startup, and user could have "ADMIN" role in Customers Module and "GENERAL-USER" in Reports Module.

I think that best way for implementig this is registering a GetRoleService in RootWorkItem.Services collection and then at each module load, retrieve the user roles for that module and store it into a WorkItem.State variable. Is it the best way for doing this???

Neverless, I know that if in a future I have to implement module loading based in roles, this is totally useless for it. Isn't it?

Thaks a lot for your attention
Sergio

May 14, 2007 at 5:58 PM
In our application we fetch the user roles at the time we perform authentication. So on a successful login we fetch all the roles as well, and pass those back as part of the authentication response. From there you can load modules based on roles.

May 14, 2007 at 6:13 PM
Have you looked into implementing the IPrincipal and IIdentity interfaces of the System.Security namespace? Could each module implement these interfaces in it's own way and then switch the thread's authentication based on which module the user is currently working in? But I don't know how to tell which module the user is currently working in. I haven't tried this...it's just an idea.
May 14, 2007 at 6:15 PM
Edited May 14, 2007 at 6:18 PM
I quess the fastest way to handle this is just to separate roles including module name to the role. So if you need "Admin" role you actually have several roles:
AdminCustomers
AdminOrders
AdminInvoices

"User" role:
UserCustomers
UserOrders
UserInvoices

Another solution is using Rules in addition to Roles from EntLib security library.

-
Leonid
May 14, 2007 at 7:26 PM
I would say you should have AuthorizationService in the rootlevel and that will determine the permission for the active module.So in every module you will have reference of the AuthZService .In case if you need to implement the module loading based on roles all you need is to create your own ModuleLoaderService with AuthZService injected by DI(DependencyInjection) system and before loading the module check the module has permission thru AuthZService.

Mani

May 15, 2007 at 6:37 AM
Hi!

Thank's a lot for your answers, I'll try asnwer each one.

1- Chris, I had have done it like you say. But now requeriments changes and priority is have roles based in modules, and, perhaps, in a future, load modules based in roles, so I have to change my application service for solve this and put module role-based load to a second term.

2- Stuppi. That's the problem, know wich module user's is working it, because I can get roles like Chris said, but then at runtime I haven't any way to link them to active module.

3- Leonid. I have to get data from a table, and the table keys are Module and Role, so that way I will have to do dirty work for separating that two fields for the role name, and it isn't very clear.

4- Mani, thanks for your idea, I think to try this. I will implement the auth service, and then if users want to load moldules based on roles, I'll try to inject that service for that. I don't want to have 2 different authentication services for two very similar things.

Thank's a lot again for your attention.

Sergio
May 15, 2007 at 5:09 PM

RoTTeN wrote:
Hi!

Thank's a lot for your answers, I'll try asnwer each one.

1- Chris, I had have done it like you say. But now requeriments changes and priority is have roles based in modules, and, perhaps, in a future, load modules based in roles, so I have to change my application service for solve this and put module role-based load to a second term.

2- Stuppi. That's the problem, know wich module user's is working it, because I can get roles like Chris said, but then at runtime I haven't any way to link them to active module.

3- Leonid. I have to get data from a table, and the table keys are Module and Role, so that way I will have to do dirty work for separating that two fields for the role name, and it isn't very clear.



Here's an idea: When you fetch roles, store them in an object (like ModuleRoles) that has a field like ModuleName. Each module would get its own ModuleRoles object. The end result would be a list of ModuleRoles objects. Then, in your code, when you need to perform some authentication on an action or set some UI element based on a role, you can query the list for the ModuleRoles object that matches the module name, and check the roles on that object.

There's got to be a way to segregate each set of roles per module, and then have each module intelligently query some object for the roles that pertain to it.