使用实体框架在数据库中构建访问控制的建议

时间:2013-05-07 19:30:05

标签: asp.net asp.net-mvc entity-framework forms-authentication database-schema

我正在寻找一些我正在尝试实施的架构的建议和帮助。我正在构建的应用程序为我们内部使用的多个ASP.NET网站提供SSO和集中身份验证。我面临的问题是,我似乎无法想出一种在实体框架中构建数据的方法。

概述: 1)帐户可以与许多应用程序相关联 2)角色特定于每个应用程序 3)功能特定于每个应用程序 4)下面没有显示,但我想进一步细分关联并使“目录”的帐户成员和应用程序可以访问与应用程序关联的目录列表中的用户(这有意义吗?) 用户“Joe”将具有如下权限:

Application 1:  

Role    | Feature 1 | Feature 2 | Feature 3
=============================================
Role1   |     x     |           |     x
Role2   |           |     x     |     x
Role3   |     x     |     x     |     x

Application 2:
Role    | Feature 1 | Feature 2 | Feature 3
=============================================
Role1   |           |           |     x
Role2   |           |     x     |     
Role3   |     x     |     x     |     x

我会通过类似于以下的API访问这些权限:

CheckAccountPermission(Role, Feature), IsAccountInRole(Role)

目前,我一直在尝试以下模式:

Application.cs
public int ApplicationId { get; set; }
public Guid ApplicationGuid { get; set; }
public string Name { get; set; }
public string Description { get; set; }
public bool IsEnabled { get; set; }
public DateTime DateCreated { get; set; }
public DateTime? LastModified { get; set; }
public virtual ICollection<Directory> Directories { get; set; }
public virtual ICollection<Feature> Features { get; set; }
public virtual ICollection<AccountPermission> AccountPermissions { get; set; } 


Account.cs
public int AccountId { get; set; }
public string Username { get; set; }
public string Password { get; set; }
public string PasswordSalt { get; set; }
public string FirstName { get; set; }
public string MiddleName { get; set; }
public string LastName { get; set; }
public string EmailAddress { get; set; }
public string AvatarUrl { get; set; }
public string AccountNotes { get; set; }
public DateTime? LastLogin { get; set; }
public DateTime DateCreated { get; set; }
public DateTime? LastModified { get; set; }
public DateTime? LastActivity { get; set; }
public bool IsEnabled { get; set; }
//-------------------//
public int DirectoryId { get; set; }
public virtual Directory Directory { get; set; }            
public virtual ICollection<Session> Sessions { get; set; }
public virtual ICollection<AccountPermission> AccountPermissions { get; set; } 

Directory.cs
public string Name { get; set; }
public string Description { get; set; }
public bool IsEnabled { get; set; }
public virtual ICollection<Account> Accounts { get; set; }
public virtual ICollection<Role> Roles { get; set; }
public virtual ICollection<Application> Applications { get; set; } 

Role.cs
public int RoleId { get; set; }
public string Name { get; set; }
public string Description { get; set; }
public int? PrimaryRoleId { get; set; }
public Role PrimaryRole { get; set; }
public DateTime DateCreated { get; set; }
public DateTime? LastModified { get; set; }
public virtual int DirectoryId { get; set; }
public virtual Directory Directory { get; set; }
public virtual ICollection<AccountPermission> AccountPermissions { get; set; } 

AccountPermission.cs
[Key, Column(Order = 0)]
public int AccountId { get; set; }
public virtual Account Account { get; set; }
[Key, Column(Order = 1)]
public int RoleId { get; set; }
public virtual Role Role { get; set; }
[Key, Column(Order = 2)]
public int FeatureId { get; set; }
public virtual Feature Feature { get; set; }
[Key, Column(Order = 3)]
public int ApplicationId { get; set; }
public virtual Application Application { get; set; }

如果我不在这里或被误入歧途,请随时指出我正确的方向。我真的很想做到这一点。我可以提供任何澄清信息,请告诉我! 谢谢大家!

0 个答案:

没有答案