Need Help with Custom ACL

From: Cy Huckaba (russellh_at_t-3.com)
Date: 05/25/04 

Date: Tue, 25 May 2004 14:01:44 -0500

I apologize in advance to the platformsdk group, this question may not be hardcore enough.

I am working on some enhancements to our client extranet sites and am having a hard time trying to figure out the best way to do a security check and keep performance up.

I have setup role based security on certain pages and functionality of our site. For example, I have roles that can view open jobs, document library, etc. If you have the ability to view jobs, then we get into whether or not you have edit, create, delete access as well. Pretty straightforward...

I should mention that my DAL mostly returns datasets as objects for binding (result of a stored proc). All users and roles are stored in database tables.

I should also mention that we will be creating new users and roles on the fly, so I can't hardcode in all possible roles into my classes.

What I would like to be able to do now is take it one step further, Role A can view jobs, but not all jobs, view documents, but not all docs, etc.

If I take it down to the individual item level, what's the best time/way to check the permissions on each item. I'm guessing most work will have to be done in the stored procs. I'm guessing that I should do a permission check and then figure out which proc I will call, or do most of the logic in the stored proc and just pass in the userID into it or something.

I would appreciate any input or links to articles, etc. that deal with this additional layer (most artciles I've seen outline what I have done at the higher level).

Thank you,

Cy Huckaba