Tag Archives: Role Management

Planning Role Management in ASP.Net

When planning role management, follow these best practices:
1> Use Windows authentication for intranet applications when users have Active Directory domain accounts. This provides single sign-on for users and centralizes account management. If you use Windows authentication, ASP.Net uses roles to represent group memberships.
2> If you must create accounts for users separate from their Active Directory domain accounts, work with systems administrators to include the application’s role management in their account management process. For example, when a user leaves the organization, systems administrators will need to remove both the user’s Active Directory domain account and the application account.
3> Never assign privileges to an individual user. Instead, add users to roles, and assign privileges to those roles. If an employee leaves the organization, you only need to remove the user from the role rather than modifying how privileges are assigned.
4> Create separate roles for different management tasks. For example, instead of creating roles for just users and administrators of a blog application, create separate roles for readers, writers, editors, content approvers, and website managers. Even though it might require you to add users to multiple roles, having more granular roles simplifies delegating tasks if more flexibility is required in the future.
5> Always derive new security classes from existing .NET classes. Microsoft has carefully reviewed and tested the security components of the .NET framework. This does not mean the .NET framework does not contain security weaknesses; all code does. However, the .NET framework’s extensive review and testing helps to make them more secure than classes written by individual developers.