English 中文(简体)
Non RBAC User Roles and Permissions System: checking the user s City
原标题:

We are currently designing a User Roles and Permissions System in our web application (ASP.NET), and it seems that we have several cases that do no fit within the classical Role-Based Access Control (RBAC). I will post several questions, each devoted to a particular case, this being the first post.

We have the following case: not to allow a user view a certain page if the user lives in a particular city. This is a simple case that is coded in the following way:

if (User.City == “Moscow”)
// Allow the user to view the page.
else
// Do not allow the user to view this page.

Though this case is very simple and straightforward, it has nothing to do with the RBAC.

On StackOverflow, someone called this an Attribute-based Access Control.

Under the classical RBAC, it seems that this case should be designed like this: introduce a permission “City where the person lives”, this permission will have a property City. Then create a role, add a permission of type “City = Moscow” to it and the assign the role to the user. Looks extremely cumbersome.

The question is whether it is acceptable to introduce such non-RBAC approaches to our permissions system – does that break the design or not?

This might seem a primitive question, but we found that most applications use pure RBAC, and we started to think that we might be doing something wrong.

Thank you.

问题回答

This would be a nice case for an atribute based access control. However, if you don t mind looking at a PHP implementation, Zend Framework has a role based access control that uses assertions to solve more special cases:

http://framework.zend.com/manual/en/zend.acl.advanced.html

A standard rule would allow a role to do an action on a resource. A fourth parameter allows the rule only to apply when some condition is met. In pseudocode:

allow(member, view, page) // standard
allow(member, view, page, userLivesInMoscow) // assertion used

The assertion is an object that is passed the user. It has a method that checks whether the assertion is met:

interface Assertion
 bool public function assert()

class UserLivesIn implements Assertion
 public function UserLivesIn(User, City) ...
 // implementation of assert method comes here

This is a way of implementing what you need.





相关问题
Default Membership and User Profiling vs Custom ones

I was just going through the "AccountController.cs" code (the default one which appears when you create a new ASP.NET MVC project). When I tried to compare it to the one that is proposed in my book, I ...

What is the simplest way to create my own FTP server?

What is the simplest way to create my own FTP server in C#? Some of the folders will be virtual folders. The authentication should be from a SQL Server database, which includes tables of the ASP.NET ...

MembershipProvider in .NET 4.0

How can I add the MembershipProvider class to my .NET 4.0 project in VS 2010 B2? I want to customize a MembershipProvider, but I cannot without adding this class. Please guide me through this process....

ASP.Net Session Not Invalidated After Logout

I have a ASP.Net application in my login page I call FormsAuthentication.SignOut Session.Abandon() Session.Clear() however the Appscan is taking the ASPXAUTH cookie value then after logout is ...

热门标签