Using user accounts and permissions from custom database for authentication and authorisation in ASP.NET 4? [modified]

kbalias

Hi everyone I developed a Windows Application for the cancer department I am working in. It is a registry of all the patients that we see in the department and the doctors use it for stats and research. Patients are entered and edited in the system. There is also a reports system where users can create their own custom reports and safe the report parameters for future use. I have done the user accounts such that a user can belong to more that one group. So a user might belong to the ‘Patients Admin’ group, the 'Data Admin' group and to the ‘Reports Admin’ group. Another user might belong to the ‘Patient Edit’ group and ‘Reports Admin’ group. A third user might only belong to the ‘Patient Open’ group. Thus depending on the group they belong to they can access certain areas and forms are only allowed certain actions. In other words some users might be able to access a screen/form to view the information, but cannot edit the information. I am using a SQL Server 2008 Express database as the back-end. The user accounts (usernames and hashed passwords) and the Group details and Permissions details are also stored in the same database. The structure is like the following: CREATE TABLE [dbo].[Groups1] ( [GID] [int] NOT NULL PRIMARY KEY CLUSTERED, [GroupName] [nvarchar](50) NOT NULL, [Description] [nvarchar](150) NULL ) CREATE TABLE [dbo].[Permissions1] ( [PID] [int] NOT NULL PRIMARY KEY CLUSTERED, [Permission] [nvarchar](50) NOT NULL, [Description] [nvarchar](150) NULL ) CREATE TABLE [dbo].[Users1] ( [UsID] [int] NOT NULL PRIMARY KEY CLUSTERED, [Username] [nvarchar](50) NOT NULL, [UPassword] [nvarchar](50) NOT NULL ) CREATE TABLE [dbo].[GroupPermissions1]( [GPID] [int] NOT NULL, [FK_GID] [int] NOT NULL FOREIGN KEY REFERENCES Groups1 (GID), [FK_PID] [int] NOT NULL FOREIGN KEY REFERENCES Permissions1 (PID) ) CREATE TABLE [dbo].[UserGroups1] ( [UGID] [int] NOT NULL, [FK_UID] [int] NOT NULL FOREIGN KEY REFERENCES Users1 (UsID), [FK_GID] [int] NOT NULL FOREIGN KEY REFERENCES Groups1 (GID) ) I was asked to convert this Windows application to a Web application. Due to confidentiality issues regarding patient details I need to do authentication and authorization. Is it possible to use this type of group and permissions structure in a web application? If it is possible the next question is then how easy will it be implement the built-in login controls from ASP.NET with the user accounts, groups, and permissions

JV9999

Yes, you can :) Have a look at: Custom MembershipProvider and RoleProvider Implementations that use Web Services[^]. It's not exactly what you are looking for, but it also involves creating a customer role and membership provider. If you implement these, you can keep using the standard ASP.NET controls.

Lisa Z Morgan

The good news is, you can do exactly what you are doing now. Porting your application to the web does not impede your ability to query your database for the users' roles and permissions and provide access to the page only if they meet the criteria they would have needed in a Windows application. There are excellent tools in the built-in asp.net membership providers as someone else has posted, but you can also do it just like you are doing now and not have to re-write that part of your code. I work in a web-based environment where we use exactly that sort of thing--roles and permissions and actions linked in SQL2008 tables. Works fine. If you do switch to the built-in role and membership providers in ASP.Net, you will gain some advantages because you can simply check the value of methods like UserIsInRole or IsLoggedIn and so forth, but you can also port your Windows Forms code to check these in the page load event, and redirect them to a page telling them they can't play there if they don't belong. I hope this helps, and good luck with your application. Lisa Z. Morgan