Thus, we need only create a Windows form for adding users, adding roles and adding users to roles, and saving all of that to the database.This is easily accomplished by creating the form shown in Figure 4: You will want to bind the list boxes to data sources tied to your data tables.
This article takes you as far as saving the users, roles and the permissions those roles have for the various controls. The full source code for this article is available for download. We see this most cleanly and starkly implemented in ASP.
It does not implement login and so it does not implement any of the checks to see if the logged in user should be restricted in access to the controls on any given page. Simply click on the CODE DOWNLOAD link in the box to the right of the article title. NET, though it presents a bit more of a challenge with Windows Forms applications that will be used by a very large number of users. NET authentication support, accessing it through a web service.) NOTE: My client had their own authentication system (as part of their larger in-house system) and to keep this article simple I’ll follow their lead and simply create a Users table and a Roles table and finesse the authentication.
To decide if a user has “access” to a control (which will be defined as meaning the right to see a control or to invoke the control) we’ll create two additional objects: In a “real” application, I’d add a middle tier of business objects to represent the user, role, control and the relationships, but again, to keep this paper stripped down to the essence, the sample application will have the presentation layer talk directly to the persistence layer (a practice I generally recommend against!
We decided to make the restrictions “roles-based” – that is “managers can click this button, users can see it, but to guests it is invisible.” We wanted to build an architecture that would allow us to add forms and controls to the application without deciding in advance which roles we would use, and without having to modify the forms or controls to meet the needs of the security architecture any more than absolutely necessary.
The ideal security architecture would be independent of the participating forms and controls. I do not explain how to create forms, or how event handling works, nor do I explain how to interact with a SQL database.