{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 三岁会撩人 的问题《Manage entity access and permissions with Entity F》','https://www.manongdao.com/q-1344758.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
In a web application using Entity Framework 4.1 we use SQL Server Membership to manage user access. However we need to implement a more granular set of roles a permission management.
In the database we have already created the relative tables:
- Roles
- Permissions
- UserInRole (roles per user)
- RolesPermissions (permissions associated to a role)
Using attributes on some of the core entities we restrict the access semantically with EF, as example, given a specific user, s/he can see only the relative shipped orders or inherent data.
Now we would like to inject the permissions in it, meaning as example that a customer can see and create orders, while a company (these are two different roles) could only see orders for their products and also print reports.
The idea would be to use attributes also for permissions at entity level and check if the current user owns proper rights when a method is invoked. For instance:
public void BeforeAdd()
{
// Get required permissions for the specific entity (Order as example)
//Check that current user has permission of creating a new Order
}
Such a method would be called by each entity, allowing to centralize the control over permissions at entity level.
We use MVC as frontend and in there we have already implemented roles and permissions access. We need to make the same with the backend part (containing data layer). These are two separate servers communicating via web services. By implementing permission management on the back end part would strengthen the control over data access.
Is there any pattern or best practice that we could follow (eventually using some built in features of EF) to achieve permissions management?
Are you familiar with ASP.NET's default membership provider?
It is a typical example of how to set up a membership system. It may be a good example to study if you are unfamiliar with it.
You may also find this SO question helpful.
Yes, it's called Aspect-Oriented Programming and PostSharp is probably the best tool for the job (unfortunately it's not free).
However, if you are using MVC (you haven't mentioned anything as such yet) you could derive your own version of the AuthorizeAttribute to query your own permission tables and you can simply decorate your actions with the roles you want to allow e.g.