ASP.NET 2.0 Membership/Role Observations

Tuesday, April 19, 2005

After digging a bit deeper this week on the built-in Membership/Roles functionality, although it is quite extensive there seems to be a weakness in using it for a more robust security model. Maybe I've missed something, but here goes:

Let's say in a sample application I have roles entitled Manager and Employee. So, within my application I can now say if user is in role X show/do this. Now, let's say you wanted to have attributes to the role "Manager". The "Manager" role can do the following ficticous tasks: Create Users, Delete Users, Update Website, Add Document, essentially creating a group with various permissions.

From what I see there is no more depth beyond the Role...

3 Comments

What you want is the missing piece, namely traditional RBAC's (role based access control) 'Permissions'. I think MS just defined RBAC up to the roles part, how their associated permissions get enforced is up to you. Permissions are generally too application specific and context bound (which makes policies a more viable choice most of the time) anyway.

Yves Reynhout - Tuesday, April 19, 2005 10:11:00 PM

Just for the mention, there is a PermissionManager project that does what Yves said. I believe it's in the gotdotnet workspaces.

Trent Buckingham - Tuesday, April 19, 2005 10:34:00 PM

Thanks for the links folks.

Jason Clark - Wednesday, April 20, 2005 8:08:00 PM

Comments have been disabled for this content.