I was seeking for a class like this..... thanks tariq
Thank you rami.
I have added a lot of improvements to this AppSecurity Class. Basically, I created an object/class named "UserCtrlInfo" to hold the User Control Information. Also, another object/class named "UserCtrlInfoPack" to hold the User Control Information of the
Authenticated User and the Query User. UserCtrlInfoPack has 2 properties AuthUserCtrlInfo and QueryUserCtrlInfo, each of type UserCtrlInfo. The Query User is the user which is to be queried by the Authenticated User. The UserCtrlInfoPack is cashed in session
variable for improved performance.
Currently, the Control Info is simply the Staff Employee ID and the Department Code. The Control info is created immedaitly after authentication is successful (after Login), and Initially, The Query User ID is "*" which means no Query User is selected yet.
I have created an ASPX Page to select the Query User, and once selected, the QueryUserCtrlInfo property is updated and the session variable is also updated.
Now suppose that the Authenticate User ID 111111 wants to display the information of the Query User ID 222222, then a call to a business object: StaffBasicInfo.GetStaffBasicInfo() will call the function CanGetObject(theUserCtrlInfoPack). which will do something
like the following:
If the Authenticated User ID is same as the Query User ID or the Query User ID is = "*" then allowed,
If the ID is not the same, then check the Department Code, if the same, then allowed,
If the Department Code is not the same, then the Authenticate User must have an Admin Role Assigned to him to allow the operation,
Otherwise, access is denied.
Once I complete the final version, I will post complete details if some one is interested.
tarekahf
Member
143 Points
272 Posts
Re: Need your openion on developing a Security/Authorizaton Class.
Dec 09, 2008 06:50 PM|LINK
Thank you rami.
I have added a lot of improvements to this AppSecurity Class. Basically, I created an object/class named "UserCtrlInfo" to hold the User Control Information. Also, another object/class named "UserCtrlInfoPack" to hold the User Control Information of the Authenticated User and the Query User. UserCtrlInfoPack has 2 properties AuthUserCtrlInfo and QueryUserCtrlInfo, each of type UserCtrlInfo. The Query User is the user which is to be queried by the Authenticated User. The UserCtrlInfoPack is cashed in session variable for improved performance.
Currently, the Control Info is simply the Staff Employee ID and the Department Code. The Control info is created immedaitly after authentication is successful (after Login), and Initially, The Query User ID is "*" which means no Query User is selected yet.
I have created an ASPX Page to select the Query User, and once selected, the QueryUserCtrlInfo property is updated and the session variable is also updated.
Now suppose that the Authenticate User ID 111111 wants to display the information of the Query User ID 222222, then a call to a business object: StaffBasicInfo.GetStaffBasicInfo() will call the function CanGetObject(theUserCtrlInfoPack). which will do something like the following:
If the Authenticated User ID is same as the Query User ID or the Query User ID is = "*" then allowed,
If the ID is not the same, then check the Department Code, if the same, then allowed,
If the Department Code is not the same, then the Authenticate User must have an Admin Role Assigned to him to allow the operation,
Otherwise, access is denied.
Once I complete the final version, I will post complete details if some one is interested.
Tarek.