I have a set of tables that a doctor uses to keep patient records. For example: client details, therapy notes, etc etc... There are three doctors in the practice.

Here is my question:

I want my logged in users (the doctors) to only be able to access the rows of data that they have created and not rows of data associated with another user. Is this done with Roles or Profiles or Members?

I would assume that the rows of data that the user creates (INSERTS) would have inserted their user ID into a column like UserId, for example.

If so, is this safe enough that other users wont be able to access the wrong rows of data?

And also, how do I get the userId data from the ASPNETDB.mdf to my own database safely?

I have worked through the book, which is my bible, but not really found the answer to this.

Regards

Lee

Hi there,

No, Roles and Profile won't help as you need row based security.

Your thinking is good though in that you need to store the user in the data somehow. You get the id of the user using Membership.GetUser().ProviderUserKey. Alternatively, and recommended by Microsoft, you should use the user name instead along with the application name (set on the provider configuration in web.config).

As long as all your queries take this user id into account, you should be safe.

BTW: for questions not related to the book directly, you're better off posting in a more general asp.net forum category here at wrox.com as you'll attract more viewers.

Cheers,

Imar

__________________
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Follow me on Twitter

Author of Beginning ASP.NET 4.5 : in C# and VB, Beginning ASP.NET Web Pages with WebMatrix
and Beginning ASP.NET 4 : in C# and VB.
Did this post help you? Click the button below this post to show your appreciation!

Thank Imar. I'll post it there and see what else pops up. I dont fully understand how to translate your answer into something that I can use, as yet. But thanks.