Role based security and Permissions based security

From: Ryan Cromwell (RyanCromwell_at_discussions.microsoft.com)
Date: 11/30/04 

Date: Tue, 30 Nov 2004 06:49:08 -0800

We have been using Role based security here for some time, but in general it
has added more support costs than the model used in our old COM systems. We
would very much like to integrate the other model into our .Net world, but
using the security framework provided by .Net for imperitive and declaritive
checks.

I'd like to here suggestions or criticisms to what we believe is the path to
follow.

Similar to the Win2k3 Auth Manager, we define Applications and
Permissions/Areas within those applications. The business is able to create
Groups/Roles and assign Application Permissions to these Groups/roles. This
allows the business to change the authorization boundaries as it's needs
change. We don't have to recompile or be involved when things like
Sarbanes-Oxley require further seperation of duties than previously
anticipated during development.

To support this, we are going to create a custom permission which is an
abstract base class (i.e. BaseCustomPermission) requiring the inheritor to
implement only the Application and Permission identifiers. Each application
can then create unique CustomPermissions for the different areas needed to be
secured. The BaseCustomPermission's implementation of the IPermission class
would check that the Thread.CurrentPrincipal has the appropriate permissions.
 Our current Principals could still be used with the PrincipalPermission
checks for specific Role checks, but I would foresee the BaseCustomPrincipal
implementation more often.

I would very much appreciate some comments as I have found little
documentation as to the validity of this venture.

Relevant Pages

  • Re: Granting write access to HKLM
    ... hive into a registry key under HKEY_USER, ... I want to change the permissions of a registry ... >> permissions for a specific principal, rather we initialize the security ... >> principals, see the MSDN docs, starting with SetSecurityDescriptorDacl ...
    (microsoft.public.vc.mfc)
  • Re: Granting write access to HKLM
    ... have a basic understanding of programming Windows security. ... > Here is a starter setfor setting the securiy permissions on a key in the ... > principals, see the MSDN docs, starting with SetSecurityDescriptorDacl ... Keith Brown has an EXCELLENT book on the subject - Programming Windows ...
    (microsoft.public.vc.mfc)
  • Re: Granting write access to HKLM
    ... The point of HKCU is that it IS ... I want to change the permissions of a registry ... >> permissions for a specific principal, rather we initialize the security ... >> principals, see the MSDN docs, starting with SetSecurityDescriptorDacl ...
    (microsoft.public.vc.mfc)
  • RE: What server hardening are you doing these days?
    ... permissions on their data, and Microsoft encourages ISVs to minimize ... I've been able to discuss ACLs and other security issues in Windows with ... Control or DAC (which is what you're referring to by the "stupid ...
    (Focus-Microsoft)
  • Re: get rid of security center?
    ... I have come up with a solution that does not disable Security Center, ... By changing the Permissions of that key, ... settings from being changed again. ... the firewall alert settings in Security Center get ...
    (microsoft.public.windowsxp.help_and_support)