Role based opinion needed - Not for app but for assets...

[Cy Huckaba]

I have gone through newsgroups and several websites and have a pretty good
handle on the role based security and dynamically displaying pages on our
extranets based on roles and permissions. We are adding another layer of access
permissions to our extranets and I need some opinions on the best way to acheive
what we are trying to do.

Currently our access levels look like this. Users are either internal or
external and then within each of those groups there are 3 more access levels.

Internal (Employees) - User | Manager | Executive

External (Client) - User | Manager | Executive

Some parts of pages and or datasets displayed contain internal and external
records for users in the internal group and only external records for users in
the external groups, etc. The user | mgr |exec sub groups not only provide
access to who can view certain documents but also provide some admin privileges
as well (edit/update/create) etc.

We are adding another high level group called Vendors which will also contain
the 3 sub groups as well. So that clients can open up some of the functions to
outside vendors that we partner with to get projects done sometimes.

Currently, assets that are up for review are taged with an internalOnly flag
(boolean) and an minAccessLevel value (0 | 5 | 10) as well as the clientID. This
will not work in the new scenario where vendors may or may note have access to
every assets within a job. We are basically going to have to move to an ACL
scenario.

I don't know what the best way to approach this is. Do I have an ACL field that
is comma seperated with all roles? Example (vendors that can access this asset
would be xyz, abc) and another ACL field that says whether or not vendors even
have access (groups that can have access are int, ext, ven)?

Basically internal can see everything that satisfies the minimum access level.
Clients are the same. Vendors may be able to see some things, but the clients do
want to be able to specify access to which vendors. If something is posted by a
vendor then only that vendor can see it, some vendors will be able to see all
(super Vendors). I know this is vague and apologize.

Any thoughts or links to articles you can provide would be greatly appreciated.
Looking for thought process more than code here.

Thanks,

Cy Huckaba
T3 - Austin, TX

[MSFT]

Hello,

I think you may consider add an ACL table in your database, and grant every
resource a Resource ID and every role as role ID. In the ACL table, if
there is a record for a specail role ID and resource ID, the role will have
permission to view the resource. You can also add a field to the resource
to indicate if a role can read/write/create the resource.

Luke
Microsoft Online Support

Get Secure! [url]www.microsoft.com/security[/url]
(This posting is provided "AS IS", with no warranties, and confers no
rights.)