FYI…I’ll be speaking at the Boston Beantown.NET User Group on 1/5/2006 on “.NET Rights-based Security Development”.
Here’s the abstract:
The .NET security principal classes (WindowsPrincipal, GenericPrincipal) help you secure your application by checking if a user is a member of a “role”. For example, only members of “HR” role can view employee information. What if the requirements changed and now “HR” users can only view employee information for certain org units? A call to IsInRole() wouldn’t be enough because now you need the context of the org unit. Is this user a member of “HR” in the New York office? The solution is a rights-based security model. Rights-based security extends the traditional role-based security with the granularity of context-relevant securable actions. In this session, we will discuss the essentials of developing a rights-based security model in .NET, how to develop your own IPrincipal classes, and how to tie a rights-based security framework into the ASP.NET 2.0 membership features using a custom membership & role provider.