Sunday, April 17, 2016

ASP.NET MVC Fine Grained Identity & Access Control - Part 2

In this series I will explain how I designed a generic claims based access control system ASP.NET MVC 5 with Identity 2.0.
In Part 1, I describe my approach and the initial database design. ASP.NET MVC Fine Grained Identity & Access Control - Part 1

In this Part 2, I will start laying foundation for the whole system with all the data models and a functional UI.

So far completed coding is in the GitHub repo:

First, I need to decide what functionality the UI should have.
  1. As a super admin, I need to be able to view the application resources from the UI. Add a description and search them.
  2. As a super admin, I need to be able to manage all the users in the system.
  3. As a super admin, I need to be able to manage global permissions
  4. As a super admin, I need to be able to manage user groups and group permissions
  5. As a super admin, I need to be able to manage user groups and group permissions

So, these are the list of things I need to be able to do within the system. There can be more, depending on the requirements. But I’m just trying to present the most basic way of doing things.

I also need a way to test things out within the UI. To do that, I need to be able to login with another less privileged user and see if everything I’ve blocked, stays blocked. Typing the URI manually, must not let the user view what’s hidden.

A tree structure for the application resources will display them nicely. If I could select the user group first, and then load the already given permissions and map them into the tree with little check-boxes on it, will give me an easier way to manage permissions for the group. (see the following image from WSO2 API Manager Permission Model)

WSO2 API Manager Permission Model

I can pre-define the types of exclusive rights in the system so that I can eliminate human error. Admins can select the right/claim and assign values to them.

These are my design considerations for now. As I keep developing the system, my decisions might change.

I’m going to start with a sample MVC-5 + WebAPI enabled project with Individual user accounts.

MVC + WebAPI + Individual User Accounts
I have removed all the bootrap and JQuery JS and CSS from the sample project and linked CDN supplied libraries instead. I just wanted to keep things clean.

I have created new MVC controllers and the models from my DB design.

Note that, I didn't run the application yet. If you run it, and register, the database will be created. I just like to setup the db with everything I want first.

Connecting the data models to my ApplicationDBContext.

using System;
using System.Data.Entity;
using System.Net.Mime;
using Microsoft.Ajax.Utilities;
using Microsoft.AspNet.Identity.EntityFramework;

namespace DinkLabs.ClaimsAuth.Web.Models
    public class ApplicationDbContext : IdentityDbContext<ApplicationUser>
        public IDbSet<Application> Application { get; set; }
        public IDbSet<ApplicationResource> ApplicationResource { get; set; }
        public IDbSet<ResourceGlobalPermission> ResourceGlobalPermission { get; set; }
        public IDbSet<ResourceRolePermission> ResourceRolePermission { get; set; }
        public ApplicationDbContext()
            : base("DefaultConnection", throwIfV1Schema: false)

        public static ApplicationDbContext Create()
            return new ApplicationDbContext();

The final UI looks like this.

A few menu items are still missing, I'll be adding them on  Part 3.