Currently working on a web based CRM type system that deals with various Modules such as Companies, Contacts, Projects, Sub Projects, etc. A typical CRM type system (asp.net web form, C#, SQL Server backend). We plan to implement role based security so that basically a user can have one or more roles.
Roles would be broken down by first the module type such as:
-Company
-Contact
And then by the actions for that module for instance each module would end up with a table such as this:
Role1 Example:
Module Create Edit Delete View
Company Yes Owner Only No Yes
Contact Yes Yes Yes Yes
In the above case Role1
has two module types (Company, and Contact). For company, the person assigned to this role can create companies, can view companies, can only edit records he/she created and cannot delete. For this same role for the module contact this user can create contacts, edit contacts, delete contacts, and view contacts (full rights basically).
I am wondering is it best upon coming into the system to session the user's role with something like a:
List<Role> roles;
Where the Role
class would have some sort of List<Module> modules;
(can contain Company, Contact, etc.).? Something to the effect of:
class Role{
string name;
string desc;
List<Module> modules;
}
And the module action class would have a set of actions (Create, Edit, Delete, etc.) for each module:
class ModuleActions{
List<Action> actions;
}
And the action has a value of whether the user can perform the right:
class Action{
string right;
}
Just a rough idea, I know the action could be an enum and the ModuleAction can probably be eliminated with a List<x, y>
. My main question is what would be the best way to store this information in this type of application: Should I store it in the User Session state (I have a session class where I manage things related to the user). I generally load this during the initial loading of the application (global.asax). I can simply tack onto this session.
Or should this be loaded at the page load event of each module (page load of company etc..). I eventually need to be able to hide / unhide various buttons / divs based on the user's role and that is what got me thinking to load this via session.
Any examples or points would be great.
Best Answer
Well, I think your design is fine I would only recommend you only a simple thing on how to store the roles. I have here a system that has almost the same concepts. It is not based on roles as per the name.
So I have a user session object with objects of type Map that store the permissions that the user has. And this Map objects is filled on demmand It will be something like:
That way you load the user permisson and store it by demmand and don't overload the session object with the full set of permissions that the user has.
EDIT
As OP asked on the comments:
The answer is almost this. When the user logs in an application the user session object is empty, so for the Application that He is logging in I would check if He has access and if so, I add it to the map with the first Action that was called by that Application lets say 'View'. And with this Action the user can see the search form.
Here you can have two approach. Which is what you asked!
Check permissions when the user fire the events like with this 'View' Action it can see the entire form with the buttons search, add, cancel (or whatever others) But the permission will be checked only when the user press the button. Then it if have you add to the map or send him a message saying that it does not have that permission.
Check the permission when rendering the actions. You only show the buttons on the form if the user has that appropriate Action associated to it. So lets say you are using a component library like Richfaces it would be like this:
<a4j:commandButton rendered="#{userSessionObject.hasPermissionAction('appBla','search')}" ..... />
And since this is created on the construction of the page the map would be filled on every check permission that is made on the page or other resources.
And on my application i choose for the second approach, because I don't think that make sense to show a button to a user that does not have the access to it.
Edit 2
A thing that maybe is usefull is that I associate a thread timing (configurable time) to the user session that clean up the maps on the userSessionObject, so if some administrator change permissions to that user at some point it will have his permissions updated automatically, not exactly at prompt but this was a acceptable requirement to this particular system.