Roles vs. Capability concept for the Role Managers in .NET? -- asp.net security

Vince Varallo
5/30/2007 8:42:00 PM

Hello

I'm looking at using the Role Manager features in .NET 2.0 and am a little
confused. The concept of a role that I'm used to is that a role is composed
of capabilities. For example, the System Administrator role has access to
the "Create User" capability and the "Create Role" capability. I can then
put more than one user in the System Administrator role.

From what I'm reading about the roles defined in .NET is that a role is
really a capability and user's are granted access to that role, so you don't
really create a "role" with capabilities and then put users in that role. It
seems like you have to associate roles with each user and you really don't
have the concept of the capabilities being grouped in a role.

I'm I missing something here?

Thanks in advance,

Vince

Dominick Baier
5/31/2007 3:07:48 PM

thats right.

If you want something more sophisticated - have a look at Microsoft Authorization
Manager.

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

[quoted text, click to view]

asp.net security : Roles vs. Capability concept for the Role Managers in .NET?