Ok I can't tell you line for line how to do this, that would be an extremely lengthy post but I will tell you what you need at a minimum. From your description i am assuming that this is a pass/fail type of system meaning that a user either has access or they dont.
I will give you a basic run down of how I do this for my company, though it wont be indepth, it will get you headed in the right direction.
First off, my security system for my Intranet Applications is completely transparent to the user; my applications grab the value of Request.ServerVariables("Remote_User") which returns domain\username and I use that to determine there exact level of permission; i dont make them log in at all.
Its importanat to note that I don't assign permissions to users, I assign permissions to groups and users belong to groups because this would become an absolute nightmare trying to manage X users have X rights to X application.
My SQL Structure is something like this:
lkApp (table) - Table that has a pk and a description of the application
AppRoles (table) - Table that has a pk, a description of the role, and a FK that links it to lkApp
AppUserRoles (table) - Table that has a pk, the users ID and a FK that links to AppRoles
AppPermission (table) - Table that has a pk, a fk that links to appRoles, a fk that links to lkApp, and a field that has the permission level for that role. (in my case 0, 2, or 4)
So what happens when a user visits my application, I call a stored procedure that does the necessary joins and determine whether or not the user has adequate permission to view X resource. Hope this helps.
"The one language all programmers understand is profanity."
|
