Re: Security Model

From: Nicholas Paldino [.NET/C# MVP] (mvp_at_spam.guard.caspershouse.com)
Date: 05/03/04

• Next message: AlexS: "Re: Security Model"
• Previous message: Carlos: "Map Network Drive"
• In reply to: Z D: "Security Model"
• Next in thread: Z D: "Re: Security Model"
• Reply: Z D: "Re: Security Model"
• Messages sorted by: [ date ] [ thread ]

Date: Mon, 3 May 2004 10:48:32 -0400

Z D,

    Generally, I'm not too concerned about user interface element access.
If you have designed your app correctly, you can have people hitting
whatever button they want, because those buttons will call into your
business layer, which has code that is not tied to the UI. Is is there that
you will begin your security checks.

    Now, in this area, you have a number of options. It's actually possible
to create your own ACL (and take advantage of the infrastructure that
windows provides). There is a good article showing how to do this (in
unmanaged code which can be converted to managed code) on MSDN titled
"Techniques for Securing Private Objects in Your Applications", located at
(watch for line wrap):

http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnsecure/html/SecPrivateObjects.asp

    Hope this helps.

-- 
               - Nicholas Paldino [.NET/C# MVP]
               - mvp@spam.guard.caspershouse.com
"Z D" <NOSPAM@NOSPAM.com> wrote in message
news:ev3yitRMEHA.3472@TK2MSFTNGP09.phx.gbl...
> Good Morning,
>
> I was looking for some feedback, guidance, input, comments, suggestions or
> just general thoughts on the following:
>
> For our internal development, I'm trying to create a general, reusable
> security framework that is very flexible.  It would have to handle both
> Authentication and Authorization. The access levels allowed on each
'object'
> would be: View/Edit/Read/Write.
>
> Essentially, the first thought that came to mind was to model it after the
> way ACL's work in Windows NTFS.  This way, I have the flexibility to
assign
> View/Edit/Read/Write permissions to each button, form, or any other
> object/grouping of objects available in any given application.
>
> Unfortunately, all I know about the way ACL's work is what I see as an end
> user.  I'm assuming each 'object' gets some form of a unique identifier
> (guid?).  Each user in the system is then linked to a guid along with an
> access level (Read, write, etc). This info is stored in a database/xml
> file/wherever. Is this a valid approach?
>
> ***The question then becomes: How do I do this in an efficient & elegant
> manner? I dont want to have to put an IF statement around each and every
> button, form or object access!
>
> How do you guys do it? Are there any resources, other people that have
> done/attempted something like this in the past?
>
> thanks in advance!
> -ZD
>
>
>
>
>

• Next message: AlexS: "Re: Security Model"
• Previous message: Carlos: "Map Network Drive"
• In reply to: Z D: "Security Model"
• Next in thread: Z D: "Re: Security Model"
• Reply: Z D: "Re: Security Model"
• Messages sorted by: [ date ] [ thread ]

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint