Application Security - Design Question
-
My company has a winform application with hundreds of forms. The application is close to be released and management now want us to add application level security in it. So basically things like a user X in role Y can do certain things but should not be able to do other things. We cannot reply on the fact that all our clients will have windows domain. My initial thought about its design is to have some kind of mapping in terms of UI elements in different forms and then make these UI elements read-only based on permissions. Just wondering if there are any patterns of implementing it and if anyone can point me to links for it? I have looked at Security Application Block in Micorosoft Enterprise Library and seem like it can be used for authenticating the users but its probably problematic if you are not on Active Directory (correct me if I am worng here)?
-
My company has a winform application with hundreds of forms. The application is close to be released and management now want us to add application level security in it. So basically things like a user X in role Y can do certain things but should not be able to do other things. We cannot reply on the fact that all our clients will have windows domain. My initial thought about its design is to have some kind of mapping in terms of UI elements in different forms and then make these UI elements read-only based on permissions. Just wondering if there are any patterns of implementing it and if anyone can point me to links for it? I have looked at Security Application Block in Micorosoft Enterprise Library and seem like it can be used for authenticating the users but its probably problematic if you are not on Active Directory (correct me if I am worng here)?
imak wrote:
The application is close to be released and management now want us to add application level security in it
What an excellent planning and design system you have. This is so common it hurts (it is now going to bite you guys). From a couple of decades of practical experience! . Internalise you security, manage your authorisation in your application by mapping UI elements to roles. . We use an AEDX field on a function (UI element) that allows a fine grain control . Base your authentication on Active Directories, once they log on they are authenticated, then look up your internal authorisation tables. . Create a base form that all your dialog/forms can inherit that will do your user validation. We have a main menu and 95% of apps (we have about 15) only require security applied to this level (ie this user group can have the Customer function but has no AEDX rights on the form, therefore it is read only) Adding security to a major app is not a trivial excercise and testing is a stone bitch! Good luck
Never underestimate the power of human stupidity RAH
-
My company has a winform application with hundreds of forms. The application is close to be released and management now want us to add application level security in it. So basically things like a user X in role Y can do certain things but should not be able to do other things. We cannot reply on the fact that all our clients will have windows domain. My initial thought about its design is to have some kind of mapping in terms of UI elements in different forms and then make these UI elements read-only based on permissions. Just wondering if there are any patterns of implementing it and if anyone can point me to links for it? I have looked at Security Application Block in Micorosoft Enterprise Library and seem like it can be used for authenticating the users but its probably problematic if you are not on Active Directory (correct me if I am worng here)?
How are the security roles going to be described to you? Usually in situations like this the business user will describe the security in terms of a business process rather than individial pieces of data. Something like "the accounting role can process invoices" rather than "the accounting role can update the following fields...". If your app is designed along similar business process flows, then the security can probably be applied to a few buttons and menu items or at the form level rather than lots of individual data controls. Mapping each and every UI element to a permission scheme can be terrible for performance. Since this is something that you distribute to multiple clients you also need to decide about how the roles will be managed unless you intend to force the same scheme on all of your customers.
-
My company has a winform application with hundreds of forms. The application is close to be released and management now want us to add application level security in it. So basically things like a user X in role Y can do certain things but should not be able to do other things. We cannot reply on the fact that all our clients will have windows domain. My initial thought about its design is to have some kind of mapping in terms of UI elements in different forms and then make these UI elements read-only based on permissions. Just wondering if there are any patterns of implementing it and if anyone can point me to links for it? I have looked at Security Application Block in Micorosoft Enterprise Library and seem like it can be used for authenticating the users but its probably problematic if you are not on Active Directory (correct me if I am worng here)?
this is the right time to add application level security. Never think about such things when you start writing your app. Always add security related things in a hurry short before release date - and of course don't waste time testing it. :laugh:
-
My company has a winform application with hundreds of forms. The application is close to be released and management now want us to add application level security in it. So basically things like a user X in role Y can do certain things but should not be able to do other things. We cannot reply on the fact that all our clients will have windows domain. My initial thought about its design is to have some kind of mapping in terms of UI elements in different forms and then make these UI elements read-only based on permissions. Just wondering if there are any patterns of implementing it and if anyone can point me to links for it? I have looked at Security Application Block in Micorosoft Enterprise Library and seem like it can be used for authenticating the users but its probably problematic if you are not on Active Directory (correct me if I am worng here)?
Hello imak, In one of my application I have implemented Application settings same as you want to right now. I developed Security Level for each type of user type. Admin can add so for each form/task in the application. When the logged user logs in, reading these set settings user can access or cannot access based on the security settings. For example, you have Customer form : Customer Add 0, 1, 2 Edit 0, 2 Delete 0 User Type with Roles (0- Admin, 1-Operator, 2-Receptionist] are set as 0, 1, 2... and so are to the tasks of Custoemr form. So you see Add can be performed by Admin, Operator & Receptionist; Edit can be performed by Admin & Receptionist; Delete can be performed only by Admin The same if you don't want to do task wise and only form wise, you can do that to by just setting for Customer form and not tasks of the form. So all tasks will be set by all those users. Hope this helps. NOTE: Vote if this helps.
Thanks & Regards,