| Author |
Topic |
|
henrikop
Constraint Violating Yak Guru
280 Posts |
 Posted - 2002-03-14 : 05:52:10
|
| Hiya,I am building an ASP.NET website for a local Intranet (with 60 users). Based on .aspx pages and SQL 2000 (on a Windows 2000 Server).I work as a freelancer, my customer doens't have a lot of IT knowledge. So I figured out to make the application as maintainable as possible. I've made a userright structure of user, departments and roles, where roles are something like Guest, User, Manager, Data Administrator, Operational Administrator, etc.Now I thought of building the following:For every 'Maintance' button I check if the role has rights to see and execute this button. This is also the case with Menu option's, etc.So Every object has a Check-Right check. This is a Stored Procedure wich returns a 0 (no right) or a 1.Most of the pages have some of these maintance objects.My Question:Is this 'The way to go' or is this 'Wise'? Will this create a lot of overhead (which will make the Webpages slow). Or do you reckon that this won't be a problem. I know it's hard to say, but maybe you have suggestions, or a way to do this different.The thing is: If I make a lot of things 'Hard Coded' it's hard to maintain, and I like to make a friendly userinterface for the people maintaining the Intranet.The webpages do a lot of the company processes like Service, Expedition, etc. so users will likely work on this webpages a lot.The .NET framework and the SQL Server resides on 1 single processor (new) server, with 40 Gb of harddisc capacity and 2 Gb RAM.Thx!!Henri~~~Guilt is like a bag of bricks. All you gotta do is set it down... |
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2002-03-14 : 07:25:18
|
How hard would it be to separate the maintenance functions onto another page? Instead of sprinkling a number of small security checks on many pages, it'll be a lot easier to manage  if there's fewer pages that need to perform the checks.I personally wouldn't want to have the overhead of 10-12 buttons on a page, each one making a call to the database. Especially is someone is a system admin, NONE of those functions should even be hinted at on a page...those should be kept seperate, on a page only they can access. I would even suggest that the web server be configured to restrict access to those pages. |
 |
|
|
Nazim
A custom title
1408 Posts |
Posted - 2002-03-14 : 07:45:34
|
| few days back i had a similar issue. and figured it out using the security mechanism implied in ibuyspy.com . its same as Rob talks about ,the security is maintained seperately. you could visit this website .it has a downloadable version ,it comes with database and the source code. it should help you greatly.-------------------------------------------------------------- |
|
|
|
henrikop
Constraint Violating Yak Guru
280 Posts |
Posted - 2002-03-14 : 08:49:32
|
| I will check out the IBuySpy sample. I did that already, but I only 'skimmed' the code because I had trouble enough learning to do just the basics.I Know that administrating the database should be done in separate pages, I've done so already (things like 'Rundays', 'Log book', Change User Properties, etc.)But when I display (for example) a customer's list, I don't want to show normal Users the button 'Edit' when they don't have the right to 'Edit' these records. Does it cost a lot of overhead to do this right checks? And if so, how can I work around that?Henri~~~Guilt is like a bag of bricks. All you gotta do is set it down... |
|
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2002-03-14 : 08:54:56
|
| I think you should look at setting cookies that contain access rights. These can be set at the time of login, and you'll never have to check the database again. As long as you don't have deep "contextual" rights (meaning that some rows can be edited but some can't) this works extremely well. You can put A LOT of information into one cookie if you're careful, and you can set cookie expiration to prevent people from unauthorized use if they leave their terminal unattended for extended periods. |
|
|
|
joldham
Wiseass Yak Posting Master
300 Posts |
Posted - 2002-03-14 : 09:01:07
|
| If you want to avoid cookies issue for users that don't have cookies enabled (not many), you can look at storing information in Session Variables.Jeremy |
|
|
|
graz
Chief SQLTeam Crack Dealer
4149 Posts |
Posted - 2002-03-14 : 09:18:17
|
| A couple of thoughts.-- I do something similar on SQLTeam. In global.asax I set a session objects that holds a security level. For every page I check that security object.-- Can you create a user defined function that will return what you need? Then just add that function to your existing queries. It will return a value (or series of values) that will define the users rights.-- Just write another query. The SQLTeam.com home page runs at least 8 separate queries at the database to generate the home page. Some of them are pretty ugly (i.e. generate a banner). Most are small, well indexed queries that are optimized to return data. It still loads pretty fast. Adding a single query to a web page rarely slows it down much if it's a well written query. Now the forum home page runs about 120 queries (I didn't write it). It runs a little slower and some of the queries aren't written as well. That's quite a few queries. I'd think a little harder about adding queries to that page.-- Create a dataset object and cache all the security stuff in the web server. You could also do this using the CACHE objects.Overall, I would say to code this as simply as possible to get it to work. Then figure out which parts are the slowest and work on those. I'll bet they aren't where you thought they were. If you isoloate all your security stuff in a class then it should be pretty easy to recode.===============================================Creating tomorrow's legacy systems today.One crisis at a time. |
|
|
|
Onamuji
Aged Yak Warrior
504 Posts |
Posted - 2002-03-14 : 13:24:32
|
| Or give each permission a unique BIT in a number ... and just grab the user permissions which would be a combination of these bits and do tests for each one permission you need that way you only have to write a .NET function that evaluates the two and returns boolean. Just a thought... |
|
|
|
henrikop
Constraint Violating Yak Guru
280 Posts |
Posted - 2002-03-18 : 05:50:59
|
Onamuji, Good idea!! I took some time to see what you meant, but I got the picture  If a users opens a page I do a CheckRight function which returs 0 for no right, and a 1 for rights. I had this information stored in a tblRight. For every 'sort' of right I had a bitfield --> Open, Read, Write, Add, Delete, Execute.So for every action I did a CheckRight check. But now the return value of a CheckRight is like this '110000'This means a user can open and read the information, but has no rights to change, add, etc.Is this what you meant?Some things can be so simple :-)Henri~~~Guilt is like a bag of bricks. All you gotta do is set it down... |
|
|
|
|
Object structure performance