We have an ASP.NET web application that has been around for over 4 years now. The web app uses ASP.NET role management with a custom role provider. The custom role provider connects to a database which includes tables for Users, User Groups, and Roles, with a table linking roles to user groups.
Over the years the application has grown in functionality and roles have been added. We now have around 30 roles and there is a complaint that it's not clear (due to lack of documentation, bad naming or whatever) what functionality a particular role gives a user.
Is there guidance on how to make the relationship between roles and functionality more transparent? One suggestion has been to list out the application functionality in another table and create a relationship between Role and Functionality. The application security would then be programmed against the items in the Functionality table, and the relationships between role and functionality could be maintained through a UI.
To me this approach doesn't quite fit with the concepts behind ASP.NET role based security. All the framework code methods refer to roles, e.g. "RoleProvider.IsUserInRole(string username, string roleName)" and:
<allow roles="members" />
Any ideas or thoughts
View Complete Post