Understanding application security in .NET

From: David Thom (davidt@npsinc.com)
Date: 07/23/02

From: "David Thom" <davidt@npsinc.com>
Date: Tue, 23 Jul 2002 16:35:33 -0500

I have a .NET application that needs to perform application-level security
checking (like determining if a user can perform some application-defined
function - what I call an "abstract" resource/entity - NOT whether they can
access an actual W2K-defined resource, such as a file)

Sometimes the user will "log in" via an ASP.NET application. But I'll also
need to determine the access rights of a user whose ID is specified in
incoming data, and not by the "current user" (for example, I must determine
access rights based on a userid specified in the HTTP header of a SOAP
request or an HTTP POST, not the context being used by IIS). Will this
involve "impersonation"?

What's available in .NET? What's access authorization to "abstract"
resources called (is it "role-based" security?) How are abstract resources
defined? Are they known as "custom permissions" in .NET?

Any guidance to get me started down the right path would be appreciated!

David Thom

(I know this is an ASPNET ng, but there apparently is no generic
"dotnet.security" ng)