Application security in .NET

[D. Bron]

Forum,

Perhaps I should ask a more abstract question: How can I implement
application security in a C# application?

That is, I have many users, and each user has a role in the enterprise.
Each of these roles has responsibilities, and, hence, corresponding
permissions.

Thus, from my UI, to my business model, all the way to my data persistance,
I want to isolate these users, roles, and permissions. For example:

If User A is a frobnicator I only want him to have access to frobinicating
functions and data. I want to remove (not just disable) any non-
frobnicating-related widgets from the GUI, disable non-frobnicating-related
functions in the busniess model (such as instantiating non-frobnicating-
related objects), and ban access to non-frobnicating-related data in the
data layer.

My basic plan is to put a wrapper around .NET Framework Security, and use
all the work MS has put into it to achieve my desired effect. This is why
I asked the question regarding extending CodeGroup earlier.

So, has anyone done anything like this? Does anyone have any information,
advice, or resources? Can anyone point me to any links or books (I bought
& read .NET Framework Security from Addison-Wesley).

Thanks,

-D. Bron

 

[Andreas Håkansson]

D.Bron,

You should read about role-based security in the .NET framework, this
will help you implement what you want. You should also look in to Principals
(good starting point is the IPrincipal interface) and Identitys (start with
the
IIdentity interface). You can also have a look at the PrincipalPermission
class and PrincipalPermissionAttribute class. The MSDN documentation
provide rich information and sample code on how to work with these kinds
of things.

Hope this helps,

//Andreas