2

I'm building an ASP.NET MVC app with the Identity 2.0 Framework. I've added the users and roles on the AspNet* tables on SQL Server. Here's a sample of the roles:

  • Finance
  • General
  • SquadLeader
  • Management
  • SystemAdmin

Someone with SystemAdmin has all other roles. Management includes SquadLeader and Finance.

When assigning these on AspNetUserRoles, I'd hate to list out every combination for each user. Is there a way to have one role be a group of roles or a hierarchy? So when I run User.IsInRole("Finance") it would be true for a user who has been assigned the SystemAdmin role? Thanks.

Improve this question
5
  • 2
    With the built-in classes, no, there is no way. You need to create your own implementation Commented Jun 30, 2017 at 18:17
  • Thanks, @CamiloTerevinto. I was afraid of that Commented Jun 30, 2017 at 18:20
  • 2
    Unfortunately, the built-in classes are very limited. I've found myself most of the times writing my own Store/User/Role implementations. Commented Jun 30, 2017 at 18:22
  • Wishing someone had a nuget package for this :) Commented Jun 30, 2017 at 18:23
  • 1
    Perhaps this article may help: brechtvn.wordpress.com/2016/10/19/… Commented Jul 1, 2017 at 0:17

1 Answer 1

Reset to default
3

assuming these roles are "as is" and the list of roles here is all of them then you can translate this in to a flags based enum and a representation of a set of roles can be stored in the db as an integer.

Here's how it might work ...

public enum Role { Finance = 1 General = 2 SquadLeader = 4 Management = 8 SystemAdmin = 16 }

when apply this to my business logic I can say stuff like ...

var genAndSysAdmin = 18; var genAndSysAdminFlags = Role.General || SystemAdmin;

Using this you can have a "RoleFlags" variable of type "Role" on a user object and do checks like ...

User.Roles.HasFlag(Role.Management)

... to check if a user is in a given role. In other words in your example if the user has all other roles when they have sysAdmin the flags value would be ...

var allRoles = 16 + 8 + 4 + 2 + 1;

... essentially this works like a simple bitmap.

HOWEVER!

It is not recommended that we design our security model this way.

Instead we should create a normal role structure but then also allow the roles to have a child collection of roles and a parent role.

This would allow a more typical design that works something like an LDAP / Active Directory type setup ...

public class Role { [Key] public Guid Id { get; set; } [ForeignKey("Parent")] public Guid ParentId { get; set; } [Required] public string Name { get; set; } public virtual Role Parent { get; set; } public ICollection<User> Users { get; set; } public ICollection<Role> Children { get; set; } } public class User { [Key] public Guid Id { get; set; } ... public ICollection<Role> Roles { get; set; } }

then we setup our data like this ...

new Role { Id = 1, Name = "SystemAdmin" } new Role { Id = 2, Name = "Management", ParentId = 1 } new Role { Id = 3, Name = "SquadLeader", ParentId = 2 } ...

... working this way allows you to inherit in a flexible manner the level of permissions of all the child roles in any given parent role and also treat your permissions like the Hierarchy you are trying to simulate whilst taking a more typical pattern and allowing you to add new roles in the future.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks, @War, for the great answer. Hope you don't mind the edit to format the two classes. A follow-up: How do I tie these roles into the Identity Framework's AspNetRoles table on SQL Server, which assigns its own GUID to the roles for their ID?
I second Alex's question.
Tie? In your code its normally recommended you refer to roles by name so the id values are merely an implementation detail you don't care about, but if its important you can implement your own versions of iuser and irole in the framework then you can choose which interfaces you want to implement to replace subsets of its functionality with your own.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.