-
Dec 14th, 2020, 09:58 AM
#1
Thread Starter
Hyperactive Member
Add column to AspNetUserRoles table and apply custom authorization
Hey guys,
Been years since I posted here.... back in the game.
The title of my post may not accurately reflect what my end goal is, so I'll elaborate as little before the discussion begins.
I have one web application and one database that will be shared by many organizations. I am using the identity framework and roles to limit access to different pages within a particular organization. [e.g. - admin vs peon]
That is to say that a user who has a role of admin for Organization A should not be authorized to see the admin pages of Organization B.
My first instinct was to add a third column to my AspNetUserRoles table. [OrganizationId in addition to UserId and RoleId]
All 3 columns here would then be designated as a primary key.
Would this approach be best for what I want to accomplish?
Regards,
MizPippz
-
Dec 14th, 2020, 10:06 AM
#2
Re: Add column to AspNetUserRoles table and apply custom authorization
If you're going to share users across organisations then I would think that you should just have an admin role for each organisation and then you can add a user to one or more of those roles to provide admin access for the corresponding organisation(s).
-
Dec 14th, 2020, 12:48 PM
#3
Thread Starter
Hyperactive Member
Re: Add column to AspNetUserRoles table and apply custom authorization
Firstly, it's been a while and it's good to see that you're still active on this website! I remember you and your input with fondness! You and the rest of the contributors on this site helped me out immensely in the past.
To perhaps better illustrate my point, I may need to provide some more detailed information regarding my existing structure. Forgive me if my description and imagery appear simplistic, but I want to be as clear and concise as possible.
One web application
One database
Three organisations [A, B, and C]
Fixed number of roles
- Peon
- Accounting
- Administrator
- El Jefe
Rules:
- Users can have multiple roles within an organisation [User Eggbert can be an Administator as well as an Accountant]
- Users can have different roles across organisations. [User Eggbert can be an Administrator in Organisation A, and only have Accountant rights in Organisation B]
- Sitewide, only data from one organisational at a time can be viewed. Exception: "El Jefe" can see all at all times.
If part of multiple organisations, upon login, a user will be prompted to log in to a specific organisation. A session variable with organisational identification(organisationId) will then be stored.
What I am considering:
When a role is assigned to a user, an organisation ID would be added to the AspNetUserRoles table. It would therefore be possible to have an "Administrator" entry multiple times (ie- one for each organisation).
When only one organisation is involved, by default, and when visiting restricted content based on role, a check is applied in the Controller.
Code:
[CustomAuthorize(Roles = "Administrator, El Jefe")]
public class AdminController : Controller
{
public ActionResult Index()
{
return View();
}
}
Would it be feasible (conceptually) to add organisation info as part of the authorization check?
Example:
Code:
[CustomAuthorize(Roles = "Administrator, El Jefe")(Organisations = "OrganisationA")]
public class AdminController : Controller
{
public ActionResult Index()
{
return View();
}
}
Of course, the "Organisations = "OrganisationA" part would have to somehow be dynamically generated. It's not feasible to hardcore this stuff.
Or perhaps within the CustomAuthorize method itself?
Using UserManager?
Anyway, that's the gist of what I need to do. My skills and experience with this are insufficient to tackle this issue by my lonesome.
Any ideas?
Thanks,
MizPippz
-
Dec 18th, 2020, 10:59 AM
#4
Thread Starter
Hyperactive Member
Re: Add column to AspNetUserRoles table and apply custom authorization
Hey guys,
Any suggestions on how I can resolve this little SNAFU?
Does my potential solution hold water?
@jmcilhinney
I've been contemplating your suggestion:
If you're going to share users across organisations then I would think that you should just have an admin role for each organisation and then you can add a user to one or more of those roles to provide admin access for the corresponding organisation(s).
Are you suggesting a cookie cutter Admin role for each organization or a custom Admin role for each?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|