Answered at: http://stackoverflow.com/questions/11664078/permission-based-access-control/12181575#12181575
However, I’ve implemented Role Based Access Control on a a classic 3-tier ASP.Net 3.5 web forms application, using a MasterPage, a BasePage class and a RoleBasedAccessControl database model.
Example
User «jtirado» is assigned role «HR-Assistant», can access route «mywebapp/employee.aspx?id=1452» to edit employee (id:1452) data.
Being «HR-Assistant», this user can change employee telephone number and e-mail, can view employee salary but not edit the amount.
Telephone number, email, salary are dabatase fields and are represented/rendered by a «asp.net-control» on the ASPX page. So I want to restrict access to these controls based on user’s role.
MasterPage builds the options menu the user has access according to his assigned role. It’s used by all my internal pages.
protected void Page_Load(object sender, System.EventArgs e) { if (!Page.IsPostBack) { CargaItemMenu(MnuPrincipal, Convert.ToInt32(Session["IdPais"]), Convert.ToInt32(Session["IdRol"]), Convert.ToInt32(Session["IdUsuario"])); Session.Add("MenuDinamico", MnuPrincipal); if (MnuPrincipal.Items.Count < 1) { MenuItem menuItems = new MenuItem(); menuItems.Text = "Principal"; menuItems.Value = "1"; menuItems.NavigateUrl = ""; menuItems.Selectable = true; MnuPrincipal.Items.Add(menuItems); } } } private void CargaItemMenu(Menu ctrlmenu, int v_IdPais, int v_IdRol, int v_IdUsuario) { oBEOpcionRol = new SEGU.Entities.ENOpcionRol(); oBLOpcionRol = new SEGU.BusinessLogic.BLOpcionRol(); List<ParametroGenerico> ArrayParam; ArrayParam = CargarParamentrosOpcionRol(v_IdPais, v_IdRol, v_IdUsuario); List<SEGU.Entities.ENOpcionRol> ListaMenuItems = oBLOpcionRol.ListaxIdPaisxIdRolxIdUsuario(ArrayParam); foreach (SEGU.Entities.ENOpcionRol objOpcionRol in ListaMenuItems) { if (objOpcionRol.IdOpcion.IdOpcion.Equals(objOpcionRol.IdOpcion.IdMenu)) { MenuItem mnuMenuItem = new MenuItem(); mnuMenuItem.Value = objOpcionRol.IdOpcion.IdOpcion.ToString(); mnuMenuItem.Text = objOpcionRol.IdOpcion.Nombre.ToString(); if (objOpcionRol.IdOpcion.RutaFormulario != "") { mnuMenuItem.NavigateUrl = objOpcionRol.IdOpcion.RutaFormulario.ToString();// +"?IdOpcion=" + Convert.ToString(objOpcionRol.IdOpcion.IdOpcion); } if (objOpcionRol.IdOpcion.PageNew == "1") { mnuMenuItem.Target = "_blank"; } //mnuMenuItem.Target = "iframePrincipal" if (objOpcionRol.IdOpcion.Imagen.Trim() != "") { mnuMenuItem.ImageUrl = "Seguridad/ImagenesMenus/" + objOpcionRol.IdOpcion.Imagen.Trim(); } if ((mnuMenuItem.NavigateUrl.Trim().Length > 0)) { mnuMenuItem.Selectable = true; } else { mnuMenuItem.Selectable = false; } ctrlmenu.Items.Add(mnuMenuItem); AddMenuItem(mnuMenuItem, ListaMenuItems); } } } private void AddMenuItem(MenuItem mnuMenuItem, List<SEGU.Entities.ENOpcionRol> listaOpcionRol) { foreach (SEGU.Entities.ENOpcionRol objOpcionRol in listaOpcionRol) { if (objOpcionRol.IdOpcion.IdMenu.ToString().Equals(mnuMenuItem.Value) && !objOpcionRol.IdOpcion.IdOpcion.Equals(objOpcionRol.IdOpcion.IdMenu)) { MenuItem mnuNewMenuItem = new MenuItem(); mnuNewMenuItem.Value = objOpcionRol.IdOpcion.IdOpcion.ToString(); mnuNewMenuItem.Text = objOpcionRol.IdOpcion.Nombre.ToString(); if (objOpcionRol.IdOpcion.RutaFormulario != "") { mnuNewMenuItem.NavigateUrl = objOpcionRol.IdOpcion.RutaFormulario.ToString();// +"?IdOpcion=" + Convert.ToString(objOpcionRol.IdOpcion.IdOpcion); } if (objOpcionRol.IdOpcion.PageNew == "1") { mnuNewMenuItem.Target = "_blank"; } mnuMenuItem.ChildItems.Add(mnuNewMenuItem); //mnuNewMenuItem.Target = "iframePrincipal" if (objOpcionRol.IdOpcion.Imagen.Trim() != "") { mnuNewMenuItem.ImageUrl = "Seguridad/ImagenesMenus/" + objOpcionRol.IdOpcion.Imagen.Trim(); } if ((mnuNewMenuItem.NavigateUrl.Trim().Length > 0)) { mnuNewMenuItem.Selectable = true; } else { mnuNewMenuItem.Selectable = false; } AddMenuItem(mnuNewMenuItem, listaOpcionRol); } } }BasePage class checks if the user has access to the required page. All pages requiring authorization inherit from this BasePage class.public class PaginaBase : System.Web.UI.Page { SEGU.BusinessLogic.BLOpcionRol oBLOpcionRol; protected void Page_InitComplete(object sender, System.EventArgs e) { string Url = this.Page.AppRelativeVirtualPath; oBLOpcionRol = new SEGU.BusinessLogic.BLOpcionRol(); int b = oBLOpcionRol.AutentificarUrl(Convert.ToInt32(System.Web.HttpContext.Current.Session["IdPais"]), Convert.ToInt32(System.Web.HttpContext.Current.Session["IdUsuario"]), Convert.ToInt32(System.Web.HttpContext.Current.Session["IdRol"]), Url); System.Web.HttpContext.Current.Session["IdOpcion"] = b; if( b <= 0 ){ System.Web.HttpContext.Current.Response.Redirect("~/Seguridad/Acceso.aspx"); return; } } . . }Finally, on Customers.aspx **Page_Load** event I call a function (oBLPermisoOpcionRol.ValidarPermisos) which checks which receives the Page instance as parameters and iterate its controls (ex: DdlClientType, TxtLastName,ChkIsActive) to check which ones the user can edit, enabling, disabling or hiding them.protected void Page_Load(object sender, EventArgs e) { if (!Page.IsPostBack) { SetNodosMenu(TrvMenu, ""); if (this.TrvMenu.Nodes.Count < 1) { PrimerNodos(this.TrvMenu); } ListarModuloxAnulado(GvModulo, Convert.ToString(RblAnuladoModuloBusqueda.SelectedValue), Convert.ToInt32(0), Convert.ToInt32(DdlNroPaginaModulo.SelectedValue)); oBLPermisoOpcionRol = new SEGU.BusinessLogic.BLPermisoOpcionRol(); oBLPermisoOpcionRol.ValidarPermisos(Page, Convert.ToInt32(Session["IdRol"]), Convert.ToInt32(Session["IdOpcion"])); } } public void ValidarPermisos(System.Web.UI.Page v_Page, int v_IdRol, int v_IdOpcion) { BusinessLogic.BLPermisoOpcionRol oBLPermisoOpcionRol = new BusinessLogic.BLPermisoOpcionRol(); List<ParametroGenerico> ArrayParam ; ArrayParam = CargarParametros(v_IdRol, v_IdOpcion); List<SEGU.Entities.ENPermisoOpcionRol> Lista = oBLPermisoOpcionRol.ListaxIdRolxIdOpcion(ArrayParam); for(int Fila= 0; Fila< Lista.Count; Fila++){ bool v_Anulado= true; if (Lista[Fila].Anulado == "1") { v_Anulado = true; }else if (Lista[Fila].Anulado == "0") { v_Anulado = false; } bool v_ControlVisibleDisabled = true; if (Lista[Fila].VisbleDisabled == "1") // Control Disabled { v_ControlVisibleDisabled = true; } else if (Lista[Fila].VisbleDisabled == "0") // Control Visible { v_ControlVisibleDisabled = false; } SetControls(v_Page, Lista[Fila].IdPermiso.Control, v_Anulado, v_ControlVisibleDisabled); } } public void SetControls(System.Web.UI.Control parentControl, string v_Control, bool permitir, bool v_Permitir_ControlVisibleDisabled) { foreach(System.Web.UI.Control c in parentControl.Controls){ if( (c) is Button ){ if( ((Button)c).ID == v_Control ){ if( permitir == true ){ if (v_Permitir_ControlVisibleDisabled == true) { ((Button)c).Enabled = false; }else if (v_Permitir_ControlVisibleDisabled == false) { ((Button)c).Visible = false; } }else{ ((Button)c).Visible = true; } } }else if( (c) is CheckBox ){ if( ((CheckBox)c).ID == v_Control ){ if( permitir == true ){ if (v_Permitir_ControlVisibleDisabled == true) { ((CheckBox)c).Enabled = false; }else if (v_Permitir_ControlVisibleDisabled == false) { ((CheckBox)c).Visible = false; } }else{ ((CheckBox)c).Visible = true; } } }else if( (c) is Label ){ if( ((Label)c).ID == v_Control ){ if( permitir == true ){ if (v_Permitir_ControlVisibleDisabled == true) { ((Label)c).Enabled = false; }else if (v_Permitir_ControlVisibleDisabled == false) { ((Label)c).Visible = false; } }else{ ((Label)c).Visible = true; } } }else if( (c) is TextBox ){ if( ((TextBox)c).ID == v_Control ){ if( permitir == true ){ if (v_Permitir_ControlVisibleDisabled == true) { ((TextBox)c).Enabled = false; } else if (v_Permitir_ControlVisibleDisabled == false) { ((TextBox)c).Visible = false; } }else{ ((TextBox)c).Visible = true; } } }else if( (c) is GridView ){ if( ((GridView)c).ID == v_Control ){ if( permitir == true ){ if (v_Permitir_ControlVisibleDisabled == true) { ((GridView)c).Enabled = false; }else if (v_Permitir_ControlVisibleDisabled == false) { ((GridView)c).Visible = false; } }else{ ((GridView)c).Visible = true; } } }else if( (c) is ImageButton ){ if( ((ImageButton)c).ID == v_Control ){ if (permitir == true) { if (v_Permitir_ControlVisibleDisabled == true) { ((ImageButton)c).Enabled = false; } else if (v_Permitir_ControlVisibleDisabled == false) { ((ImageButton)c).Visible = false; } } else { ((ImageButton)c).Visible = true; } } }else if( (c) is HyperLink ){ if( ((HyperLink)c).ID == v_Control ){ if( permitir == true ){ if (v_Permitir_ControlVisibleDisabled == true) { ((HyperLink)c).Enabled = false; } else if (v_Permitir_ControlVisibleDisabled == false) { ((HyperLink)c).Visible = false; } }else{ ((HyperLink)c).Visible = true; } } }else if( (c) is DropDownList ){ if( ((DropDownList)c).ID == v_Control ){ if( permitir == true ){ if (v_Permitir_ControlVisibleDisabled == true) { ((DropDownList)c).Enabled = false; } else if (v_Permitir_ControlVisibleDisabled == false) { ((DropDownList)c).Visible = false; } }else{ ((DropDownList)c).Visible = true; } } }else if( (c) is ListBox ){ if( ((ListBox)c).ID == v_Control ){ if( permitir == true ){ if (v_Permitir_ControlVisibleDisabled == true) { ((ListBox)c).Enabled = false; } else if (v_Permitir_ControlVisibleDisabled == false) { ((ListBox)c).Visible = false; } }else{ ((ListBox)c).Visible= true; } } }else if( (c) is DataList ){ if( ((DataList)c).ID == v_Control ){ if( permitir == true ){ if (v_Permitir_ControlVisibleDisabled == true) { ((DataList)c).Enabled = false; } else if (v_Permitir_ControlVisibleDisabled == false) { ((DataList)c).Visible = false; } }else{ ((DataList)c).Visible = true; } } }else if( (c) is CheckBoxList ){ if( ((CheckBoxList)c).ID == v_Control ){ if( permitir == true ){ if (v_Permitir_ControlVisibleDisabled == true) { ((CheckBoxList)c).Enabled = false; } else if (v_Permitir_ControlVisibleDisabled == false) { ((CheckBoxList)c).Visible = false; } }else{ ((CheckBoxList)c).Visible = true; } } }else if( (c) is RadioButton ){ if( ((RadioButton)c).ID == v_Control ){ if( permitir == true ){ if (v_Permitir_ControlVisibleDisabled == true) { ((RadioButton)c).Enabled= false; } else if (v_Permitir_ControlVisibleDisabled == false) { ((RadioButton)c).Visible = false; } }else{ ((RadioButton)c).Visible = true; } } }else if( (c) is RadioButtonList ){ if( ((RadioButtonList)c).ID == v_Control ){ if( permitir == true ){ if (v_Permitir_ControlVisibleDisabled == true) { ((RadioButtonList)c).Enabled = false; } else if (v_Permitir_ControlVisibleDisabled == false) { ((RadioButtonList)c).Visible = false; } }else{ ((RadioButtonList)c).Visible = true; } } }else if( (c) is Image ){ if( ((Image)c).ID == v_Control ){ if( permitir == true ){ ((Image)c).Visible = false; }else{ ((Image)c).Visible = true; } } }else if( (c) is Panel ){ if( ((Panel)c).ID == v_Control ){ if (permitir == true) { if (v_Permitir_ControlVisibleDisabled == true) { ((Panel)c).Enabled = false; } else if (v_Permitir_ControlVisibleDisabled == false) { ((Panel)c).Visible = false; } } else { ((Panel)c).Visible = true; } } }else if( (c) is Table ){ if( ((Table)c).ID == v_Control ){ if( permitir == true ){ if (v_Permitir_ControlVisibleDisabled == true) { ((Table)c).Enabled = false; } else if (v_Permitir_ControlVisibleDisabled == false) { ((Table)c).Visible = false; } }else{ ((Table)c).Visible= true; } } }else if( (c) is LinkButton ){ if( ((LinkButton)c).ID == v_Control ){ if( permitir == true ){ if (v_Permitir_ControlVisibleDisabled == true) { ((LinkButton)c).Enabled = false; } else if (v_Permitir_ControlVisibleDisabled == false) { ((LinkButton)c).Visible = false; } }else{ ((LinkButton)c).Visible = true; } } }else if( (c) is System.Web.UI.HtmlControls.HtmlInputButton ){ if( ((System.Web.UI.HtmlControls.HtmlInputButton)c).ID == v_Control ){ if( permitir == true ){ ((System.Web.UI.HtmlControls.HtmlInputButton)c).Visible = false; ((System.Web.UI.HtmlControls.HtmlInputButton)c).Attributes.Add("disabled", "disabled"); }else{ ((System.Web.UI.HtmlControls.HtmlInputButton)c).Visible = true; ((System.Web.UI.HtmlControls.HtmlInputButton)c).Attributes.Remove("disabled"); } } }else if( (c) is System.Web.UI.HtmlControls.HtmlAnchor ){ if( ((System.Web.UI.HtmlControls.HtmlAnchor)c).ID == v_Control ){ if( permitir == true ){ ((System.Web.UI.HtmlControls.HtmlAnchor)c).Visible = false; // CType(c, System.Web.UI.HtmlControls.HtmlAnchor).Attributes.Add("disabled", "disabled") }else{ ((System.Web.UI.HtmlControls.HtmlAnchor)c).Visible = true; //CType(c, System.Web.UI.HtmlControls.HtmlAnchor).Attributes.Remove("disabled") '' etiqueta <a runat="server" ID="id1"> } } }else if( (c) is System.Web.UI.HtmlControls.HtmlGenericControl ){ if( ((System.Web.UI.HtmlControls.HtmlGenericControl)c).TagName.ToUpper() == "DIV".ToUpper() ){ if( ((System.Web.UI.HtmlControls.HtmlGenericControl)c).ID == v_Control ){ if( permitir == true ){ ((System.Web.UI.HtmlControls.HtmlGenericControl)c).Visible = false; //CType(c, System.Web.UI.HtmlControls.HtmlGenericControl).Attributes.Add("disabled", "disabled") }else{ ((System.Web.UI.HtmlControls.HtmlGenericControl)c).Visible = true; //CType(c, System.Web.UI.HtmlControls.HtmlGenericControl).Attributes.Remove("disabled") '' etiqueta <div runat="server" ID="iddiv"> } } } } SetControls(c, v_Control, permitir, v_Permitir_ControlVisibleDisabled); } }
This way, I don’t have to use if-then sentences to check permissions and, I can create as many roles as I want, giving them any permissions, without having to change any C# code.
You can check these posts also:
Is ASP.NET role based security a true role based access control system?
How to control access to forms fields on a ASP.Net MVC 3 view?
Jhonatan Tirado 