Results 1 to 4 of 4

Thread: Add column to AspNetUserRoles table and apply custom authorization

  1. #1

    Thread Starter
    Hyperactive Member Ms.Longstocking's Avatar
    Join Date
    Oct 2006
    Posts
    399

    Add column to AspNetUserRoles table and apply custom authorization

    Hey guys,

    Been years since I posted here.... back in the game.

    The title of my post may not accurately reflect what my end goal is, so I'll elaborate as little before the discussion begins.

    I have one web application and one database that will be shared by many organizations. I am using the identity framework and roles to limit access to different pages within a particular organization. [e.g. - admin vs peon]

    That is to say that a user who has a role of admin for Organization A should not be authorized to see the admin pages of Organization B.

    My first instinct was to add a third column to my AspNetUserRoles table. [OrganizationId in addition to UserId and RoleId]
    All 3 columns here would then be designated as a primary key.

    Would this approach be best for what I want to accomplish?

    Regards,
    MizPippz

  2. #2
    Super Moderator jmcilhinney's Avatar
    Join Date
    May 2005
    Location
    Sydney, Australia
    Posts
    110,299

    Re: Add column to AspNetUserRoles table and apply custom authorization

    If you're going to share users across organisations then I would think that you should just have an admin role for each organisation and then you can add a user to one or more of those roles to provide admin access for the corresponding organisation(s).

  3. #3

    Thread Starter
    Hyperactive Member Ms.Longstocking's Avatar
    Join Date
    Oct 2006
    Posts
    399

    Re: Add column to AspNetUserRoles table and apply custom authorization

    Firstly, it's been a while and it's good to see that you're still active on this website! I remember you and your input with fondness! You and the rest of the contributors on this site helped me out immensely in the past.

    To perhaps better illustrate my point, I may need to provide some more detailed information regarding my existing structure. Forgive me if my description and imagery appear simplistic, but I want to be as clear and concise as possible.

    One web application
    One database
    Three organisations [A, B, and C]

    Fixed number of roles
    • Peon
    • Accounting
    • Administrator
    • El Jefe



    Rules:
    • Users can have multiple roles within an organisation [User Eggbert can be an Administator as well as an Accountant]
    • Users can have different roles across organisations. [User Eggbert can be an Administrator in Organisation A, and only have Accountant rights in Organisation B]
    • Sitewide, only data from one organisational at a time can be viewed. Exception: "El Jefe" can see all at all times.


    If part of multiple organisations, upon login, a user will be prompted to log in to a specific organisation. A session variable with organisational identification(organisationId) will then be stored.


    What I am considering:

    When a role is assigned to a user, an organisation ID would be added to the AspNetUserRoles table. It would therefore be possible to have an "Administrator" entry multiple times (ie- one for each organisation).

    Name:  Org.jpg
Views: 615
Size:  17.7 KB


    When only one organisation is involved, by default, and when visiting restricted content based on role, a check is applied in the Controller.

    Code:
    [CustomAuthorize(Roles = "Administrator, El Jefe")]
    public class AdminController : Controller
    {
          public ActionResult Index()
          {
                 return View();
          }
    }
    Would it be feasible (conceptually) to add organisation info as part of the authorization check?
    Example:
    Code:
    [CustomAuthorize(Roles = "Administrator, El Jefe")(Organisations = "OrganisationA")]
    public class AdminController : Controller
    {
          public ActionResult Index()
          {
                 return View();
          }
    }
    Of course, the "Organisations = "OrganisationA" part would have to somehow be dynamically generated. It's not feasible to hardcore this stuff.

    Or perhaps within the CustomAuthorize method itself?
    Using UserManager?


    Anyway, that's the gist of what I need to do. My skills and experience with this are insufficient to tackle this issue by my lonesome.

    Any ideas?

    Thanks,
    MizPippz

  4. #4

    Thread Starter
    Hyperactive Member Ms.Longstocking's Avatar
    Join Date
    Oct 2006
    Posts
    399

    Re: Add column to AspNetUserRoles table and apply custom authorization

    Hey guys,

    Any suggestions on how I can resolve this little SNAFU?
    Does my potential solution hold water?

    @jmcilhinney
    I've been contemplating your suggestion:
    If you're going to share users across organisations then I would think that you should just have an admin role for each organisation and then you can add a user to one or more of those roles to provide admin access for the corresponding organisation(s).
    Are you suggesting a cookie cutter Admin role for each organization or a custom Admin role for each?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width