I used the code code from the Beer House to create a webpage called Maintain Roles, and it works beautifully. Now I need to modify it to list users by a new field I added to the Membership Profile called Company. Each Company will have its own Administrator, and I want to limit the users they see by that adminstrators Company Code. Can anyone help? Im really a novice

What you are asking for can be done, but not with the Roles features. Roles limits access to pages and areas of the site, based on user role. What you want is to limit access to data records for a specific company, a whole other thing.

You would need to modify the stored procedures and sql Providers and method calls to include a company parameter and then pass along the company argument for the current user so only that company's specific data is returned. You should also answer two additional questions, how to deal with a user not logged in (no company argument); and what should happen if a site administrator is logged in (show all companies, or ...)?


Steve

Thank you for your reply. I understand what you said, but Im not sure how to go about doing that. I used the book example to display the list of users.(I didnt write the code) in the Maintain Roles section,so Im not sure how to modify it to display the users from the Roles/Membership joined to the Users from the Profile for the selected company. I know how to write sql, it just seems like the fields/code is kind of hidden from me. Does that make sense? Does anyone have any example code that does anything like this? I would think it would be a common need for a web application with many clients to limit what Users they could see/maintain.

Let's try this, assume you have two companies ("ABC" & "XYZ"), and that there are two 'admin' representatives, one for each company ("A" & "X"). Also assume that each of these companies have their super secret recipes in Articles on your web site.

When "A" logs in he should only be able to see the Articles for company "ABC" and not for any other. When he is logged in, his user profile shows that he is with the "ABC" company, so far so good.

But, out of the box the beer house has no way to differentiate Articles by company, although you can differentiate by Category. So one of the first things you need to do is add a field to the Article table to know which article goes with which company. Typically this would be an integer field and there would be a company table with a company name field and an ID field; and the id for the "ABC" record would be used in the Article table for the companyID for their article records.

Next you would need to modify all the stored procedures to include the companyID as a parameter and modify the SQL so only articles with the correct companyID were selected, edited, deleted, etc. Then you would have to modify the DAL and BLL classes to also use the companyID field.

For most of these modification you could emulate how the categoryID is dealt with, but instead of being changed by a dropdown selection, it would be based on the user's profile company name.

And, as I stated in my first reply, it is the edge conditions you need to think long and hard about. What should be returned when a visitor isn't logged in, i.e. no companyID? And, what should be returned when the site administrator logs in?

Another issue to deal with is account creation. If "X" knows that company "ABC" is on your site and that all he has to do to see their data is create an account and say he is with "ABC", now "X" can see all the super secret recipes for "ABC", not what you or "ABC" would want. So, you may not want to have an open registration.

This is only a high level description to convey the concept. It is not terribly complex, but there are a fair amount of code and stored procedures that would need to be changed and tested. And, some way of dealing with a company table or other manner of generating and maintaining companyIDs to use in all the tables with company data.

Good Luck


Steve

Thank you so much for the information you provided in your email. There was alot there for me to absorb. I really appreicate your help. I loved the whole Beer House application but the only piece of code that I am using is the maintain roles page, for the exact reason you pointed out..this in not an "open to all" website. It actually is for a small payroll company that needs to be secure. The application already uses company code throughout...(just not in the roles section of the application) I modified the registration page to require company code, last for digits from ssn, employee number and last name to validate them as a user. (not everyone can register..I have a registration instruction page that tells them what is required before they continue).Each person that registers gets the lowest level of rights. Their adminstator would give them more authority if they want to grant them more.

I store that info in the profile record. Now if I logon as adminstrator for ABC company and select the Maintain Roles page...when I display the list I need to know how to list the users from the membership which it currently does and "join" the user/company from the profile table to show just the ABC company. Does that make sense? Thanks again.