Patterns / design suggestions for permission handling

Question

We have a rather complicated system of permission handling in our (ASP.NET web) application. Users can have specific permissions on different kinds of objects, some permissi

Answer 1

Users and Groups with the ability to test bool UserHasPermission( SOME_PERMISSION ) for an atomic permission associated with a Group is the standard approach for authorization, however things are changing to Claims-based:

http://msdn.microsoft.com/en-us/magazine/ee335707.aspx

http://msdn.microsoft.com/en-us/magazine/cc163366.aspx

http://www.infoq.com/news/2009/10/Guide-Claim-Based-Identity

It however, is not ideal for all situations.

For the old model, I find that performance can be gained by using memoization during permissions checks. That way I'm not going to the database n times per session to check access control. Memoization effectively stores in a cache the result of a call with the same parameters, so all calls by a particular user to check XYZ permission would return the same result. Of course, you'd make sure you stored the memoized permissions for the user in the Session so it's per-user. If you load the permissions at login then you don't need to cache them, but in large systems with many permissions sometimes it's best to get them only when needed.

http://www.infoq.com/news/2007/01/CSharp-memory