What is the best approach?

Hello, friends,
I implemented Forms Authentication in my asp.net app, it worked fine.
However, now I have another problem:
Although a user can be authenticated, but he/she may still not be allowed to
view certain pages and folders. For exampl, a junior member can not view
pages for senior memebers, although he/she can log into the web site.
<authorization> in web.config seems a good approach. However, it needs
either to enumerate all users in <allow> or <deny>, or to add users to a
predefined role, say "Junior" or "Senior". All these will be done manually.
Unless there is an automatic way, this is NOT good to us since we need our
new members to access proper pages right after they register. We do not chec
k
our database every minute to see if there are new registered members, and
manually add them. Moreover, a new member may register in midnight or
holidays: We can NOT tell him/her to wait until we have someone to add
his/her name into <authorization> or into a role.
What is the best approach to do this?
Any reference papers, sample code? Thanks.Do you know about role based authorization that you integreate into forms
auth? Also are you using 1.1 or 2.0?
http://aspnet.4guysfromrolla.com/articles/082703-1.aspx
That is for 1.1
For 2.0
http://aspnet.4guysfromrolla.com/articles/121405-1.aspx
Start there - those links via quick google for role based authorization
"Andrew" <Andrew@.discussions.microsoft.com> wrote in message
news:D110E59F-A155-4D49-B034-B1AE9B4A05FF@.microsoft.com...
> Hello, friends,
> I implemented Forms Authentication in my asp.net app, it worked fine.
> However, now I have another problem:
> Although a user can be authenticated, but he/she may still not be allowed
> to
> view certain pages and folders. For exampl, a junior member can not view
> pages for senior memebers, although he/she can log into the web site.
> <authorization> in web.config seems a good approach. However, it needs
> either to enumerate all users in <allow> or <deny>, or to add users to a
> predefined role, say "Junior" or "Senior". All these will be done
> manually.
> Unless there is an automatic way, this is NOT good to us since we need our
> new members to access proper pages right after they register. We do not
> check
> our database every minute to see if there are new registered members, and
> manually add them. Moreover, a new member may register in midnight or
> holidays: We can NOT tell him/her to wait until we have someone to add
> his/her name into <authorization> or into a role.
> What is the best approach to do this?
> Any reference papers, sample code? Thanks.
>
You need to write some code to do that...
Basically you need to store the menu/page/users in the database
and have you menu generated based on this database.
This menu code should not constantly hit the database, you need to cach it
and invalidate cash if the database changes (you can do this easy in ASP.NET
2.0)
You cannot personalize your site with <authorization> element unless you put
related pages in the separate folders and have a separate web.config with
<autorization> in each folder.
Good starting reference is "Designing Application-Managed Authorization"
which you can lookup on MSDN site
Good luck,
-Stan
"Andrew" <Andrew@.discussions.microsoft.com> wrote in message
news:D110E59F-A155-4D49-B034-B1AE9B4A05FF@.microsoft.com...
> Hello, friends,
> I implemented Forms Authentication in my asp.net app, it worked fine.
> However, now I have another problem:
> Although a user can be authenticated, but he/she may still not be allowed
> to
> view certain pages and folders. For exampl, a junior member can not view
> pages for senior memebers, although he/she can log into the web site.
> <authorization> in web.config seems a good approach. However, it needs
> either to enumerate all users in <allow> or <deny>, or to add users to a
> predefined role, say "Junior" or "Senior". All these will be done
> manually.
> Unless there is an automatic way, this is NOT good to us since we need our
> new members to access proper pages right after they register. We do not
> check
> our database every minute to see if there are new registered members, and
> manually add them. Moreover, a new member may register in midnight or
> holidays: We can NOT tell him/her to wait until we have someone to add
> his/her name into <authorization> or into a role.
> What is the best approach to do this?
> Any reference papers, sample code? Thanks.
>