We have a rather complicated system of permission handling in our (ASP.NET web) application. Users can have specific permissions on different kinds of objects, some permissions are even packed into groups / roles that are assigned to users. All in all this ends up in a pretty complicated mess where for determining whether a user can do / see something you have to evaluate many different sources of permissions and this is done somehow on-demand and based on specific situations.
My question is (from a high level point of view) whether there are some suggestions / common design patterns to deal with permission concept in general and probably also what is your experience with handling them in your architecture.
whats the best practice to provision user roles --> Roles should always be assigned to groups rather than individual users. Also, even if users are not getting created manually, ensure the roles/group granted is done manually. This ensures control over licenses.
User Roles give Administrators the ability to control what users can do within the system, without giving full administrator access. A Role is a collection of Permissions which could be based on a job function. Permissions are assigned to Roles and Roles are assigned to Users.
I've seen several complicated permission scheme. There was always a justification for it, but unfortunately, at a point in time, they all became too complicated to deal with and were reduced to something simpler.
My personal conclusion now is: stick to Role base access control (RBAC) this is the only reasonable one that everybody understands. It's somehow limited, but sufficient for most cases.
Also, use deny by default policy, that is, you grant rights only. Again, I've seen system with the opposite (allow by default) or even configurable default policy (!) and I don't think it reasonable.
Users and Groups with the ability to test bool UserHasPermission( SOME_PERMISSION ) for an atomic permission associated with a Group is the standard approach for authorization, however things are changing to Claims-based:
http://msdn.microsoft.com/en-us/magazine/ee335707.aspx
http://msdn.microsoft.com/en-us/magazine/cc163366.aspx
http://www.infoq.com/news/2009/10/Guide-Claim-Based-Identity
It however, is not ideal for all situations.
For the old model, I find that performance can be gained by using memoization during permissions checks. That way I'm not going to the database n times per session to check access control. Memoization effectively stores in a cache the result of a call with the same parameters, so all calls by a particular user to check XYZ permission would return the same result. Of course, you'd make sure you stored the memoized permissions for the user in the Session so it's per-user. If you load the permissions at login then you don't need to cache them, but in large systems with many permissions sometimes it's best to get them only when needed.
http://www.infoq.com/news/2007/01/CSharp-memory
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With