C
craig
I have two questions that aren't necessarily C#-related, but I think there
are many people in this forum who have some insight into these concepts, so
I thought I would ask anyway:
1. Assume you are developing an application which incoporates a role-based
security model. An administrator can define roles with specific privileges
and then add users to those roles. After a user has been authenticated,
their role information is retrieved which then determines what privileges
thay have. My question is this: would it be considered a violation of
security if these privileges were not enforced by the middle-tier
components? In other words, in a windows forms application, would it be
acceptable to allow the UI developer to make decisions about what data can
be exposed to the user based upon the user's role information, or does this
need to be enforced at the component level?
2. How important would you say that it is that specific fields within the
DB can be exposed to the user through more than one type of class? For
example, a user password field could be exposed to an administrator through
a "User" object which is used to configure system users (the "User" object
could have a password field). However, because only users in administrative
roles would have the privilege of modifying this field, users that do not
have administrative privileges would not be able to use this object to
modify their own password. Thus, this field must also be exposed using a
different class for which any authenticated user would always have
modification privileges, such as a "Password" class. Thus, we end up with
to different classes, "User" and "Password" which both allow a user to
modify the same password field in the DB. Is this considered good design?
Would it be considered bad design to restrict all DB fields to being
accessed by only a single class?
If we were to restrict all fields to being access by a single class, we
would then be forced to override system security at times in order to access
a field for which the logged in user does not have privileges (as in the
case of a password, as described above).
I would be very interested in the opinions of others who have encountered
these types of issues.
Thanks!
are many people in this forum who have some insight into these concepts, so
I thought I would ask anyway:
1. Assume you are developing an application which incoporates a role-based
security model. An administrator can define roles with specific privileges
and then add users to those roles. After a user has been authenticated,
their role information is retrieved which then determines what privileges
thay have. My question is this: would it be considered a violation of
security if these privileges were not enforced by the middle-tier
components? In other words, in a windows forms application, would it be
acceptable to allow the UI developer to make decisions about what data can
be exposed to the user based upon the user's role information, or does this
need to be enforced at the component level?
2. How important would you say that it is that specific fields within the
DB can be exposed to the user through more than one type of class? For
example, a user password field could be exposed to an administrator through
a "User" object which is used to configure system users (the "User" object
could have a password field). However, because only users in administrative
roles would have the privilege of modifying this field, users that do not
have administrative privileges would not be able to use this object to
modify their own password. Thus, this field must also be exposed using a
different class for which any authenticated user would always have
modification privileges, such as a "Password" class. Thus, we end up with
to different classes, "User" and "Password" which both allow a user to
modify the same password field in the DB. Is this considered good design?
Would it be considered bad design to restrict all DB fields to being
accessed by only a single class?
If we were to restrict all fields to being access by a single class, we
would then be forced to override system security at times in order to access
a field for which the logged in user does not have privileges (as in the
case of a password, as described above).
I would be very interested in the opinions of others who have encountered
these types of issues.
Thanks!