Granular permissions with certain requirements for an MVC site

Question

I don\'t like the built in membership providers. I\'ve decided to roll my own. I\'m trying to come up with a good method for performing authorization at the action level. He

Answer 1

Seems like you want something very flexible and dependless of what can be demanded for security check. So, it depends on "how far are you ready to go".

To help make this way be a right direction I strongly recommend you to look to the side of Claims-based Access Control. And take this article as a starting point and ASP.NET MVC example.

But remember that it is a complex topic. Very flexible (even allowing Federated Access Control without any code changes) but complex.

We had to go this way to make our apps completely unavailable of those "right checking" implementations. All our systems know is what "claim" they need to perform certain action and asks for it based on provided user identity (which is a "claim" too). Roles, permissions and other claims can be easily "translated" to those App-specific "claims" that make sense for our Apps. Full flexibility.

P.S. It doesn't solve the technical problems of "magic strings" and alike (you have to think that depend on your situation) but gives you very flexible access control architecture.