Here is the scenario. We will be writing a web application that will need to 
sometimes properly handle sensitive data (salary, ssn, profit, etc.) using 
roles. This data will be restricted at a macro level (for example, no access 
to accounting modules unless authorized) and a more granular level (no 
visibility, read-only, and read-update to certain fields, such as personal 
information, depending on role).

Question: Is there a good source of information on best practices for 
handling this? For example, does it make sense to provide custom controls 
for some/all of managed fields containing sensitive data?

I usually create "data class" that keeps all sensitive data  takes 'security 
level' as a constructor and exposes data using properties.
Like

class clsEmployee
{
    void clsEmployee (int iLevel);
    decimal Salary
    {
        get
        {
            if( iLevel != 1 )
                return 0;
            else
                return _dSalary;
        }
    }
}

George.


"Bill Fuller"  wrote in message 
news:%23GHj3gc3HHA.4712@TK2MSFTNGP04.phx.gbl...

> Here is the scenario. We will be writing a web application that will need 
> to sometimes properly handle sensitive data (salary, ssn, profit, etc.) 
> using roles. This data will be restricted at a macro level (for example, 
> no access to accounting modules unless authorized) and a more granular 
> level (no visibility, read-only, and read-update to certain fields, such 
> as personal information, depending on role).
>
> Question: Is there a good source of information on best practices for 
> handling this? For example, does it make sense to provide custom controls 
> for some/all of managed fields containing sensitive data?
> 

Interesting... I like that idea. Simple and elegant.

Thanks.

"George Ter-Saakov"  wrote in message 
news:ugz7VCd3HHA.2208@TK2MSFTNGP06.phx.gbl...

>I usually create "data class" that keeps all sensitive data  takes 
>'security level' as a constructor and exposes data using properties.
> Like
>
> class clsEmployee
> {
>    void clsEmployee (int iLevel);
>    decimal Salary
>    {
>        get
>        {
>            if( iLevel != 1 )
>                return 0;
>            else
>                return _dSalary;
>        }
>    }
> }
>
> George.
>
>
> "Bill Fuller"  wrote in message 
> news:%23GHj3gc3HHA.4712@TK2MSFTNGP04.phx.gbl...
>> Here is the scenario. We will be writing a web application that will need 
>> to sometimes properly handle sensitive data (salary, ssn, profit, etc.) 
>> using roles. This data will be restricted at a macro level (for example, 
>> no access to accounting modules unless authorized) and a more granular 
>> level (no visibility, read-only, and read-update to certain fields, such 
>> as personal information, depending on role).
>>
>> Question: Is there a good source of information on best practices for 
>> handling this? For example, does it make sense to provide custom controls 
>> for some/all of managed fields containing sensitive data?
>>
>
> 

You should take a look at the CSLA framework for this specific need, as ~an 
option.


"Bill Fuller"  wrote in message 
news:%23GHj3gc3HHA.4712@TK2MSFTNGP04.phx.gbl...

> Here is the scenario. We will be writing a web application that will need 
> to sometimes properly handle sensitive data (salary, ssn, profit, etc.) 
> using roles. This data will be restricted at a macro level (for example, 
> no access to accounting modules unless authorized) and a more granular 
> level (no visibility, read-only, and read-update to certain fields, such 
> as personal information, depending on role).
>
> Question: Is there a good source of information on best practices for 
> handling this? For example, does it make sense to provide custom controls 
> for some/all of managed fields containing sensitive data?
> 

I never heard of this, but a quick google on it looks promising.

I see the framework has support for Remoting. Do you know if it has been 
extended to support WCF?

Also, do you know if it will complement Enterprise Library blocks? (Logging, 
security, database, etc.)

"sloan"  wrote in message 
news:ONNdjjd3HHA.1204@TK2MSFTNGP03.phx.gbl...

>
> You should take a look at the CSLA framework for this specific need, as 
> ~an option.
>
>
> "Bill Fuller"  wrote in message 
> news:%23GHj3gc3HHA.4712@TK2MSFTNGP04.phx.gbl...
>> Here is the scenario. We will be writing a web application that will need 
>> to sometimes properly handle sensitive data (salary, ssn, profit, etc.) 
>> using roles. This data will be restricted at a macro level (for example, 
>> no access to accounting modules unless authorized) and a more granular 
>> level (no visibility, read-only, and read-update to certain fields, such 
>> as personal information, depending on role).
>>
>> Question: Is there a good source of information on best practices for 
>> handling this? For example, does it make sense to provide custom controls 
>> for some/all of managed fields containing sensitive data?
>>
>
> 

He was at my user group meeting a few weeks ago.

And he said it had been WCF enabled, as a DataPortal channel option.

If you buy the book, it'll be just the 2.0 version.

I think you can buy a supplement book from his website, and that's where you 
get the extra stuff.

Check the DotNetRocks website, they had a good interview with Rocky as well, 
where he in plain english discusses some of his framework.


I'm not using the CSLA currently, so I don't know about the Ent Lib Block 
integration.
But odds are, it'll work fine.  Rocky is very aware of "what's out there".





"Bill Fuller"  wrote in message 
news:uMV3MIe3HHA.1212@TK2MSFTNGP05.phx.gbl...

>I never heard of this, but a quick google on it looks promising.
>
> I see the framework has support for Remoting. Do you know if it has been 
> extended to support WCF?
>
> Also, do you know if it will complement Enterprise Library blocks? 
> (Logging, security, database, etc.)
>
> "sloan"  wrote in message 
> news:ONNdjjd3HHA.1204@TK2MSFTNGP03.phx.gbl...
>>
>> You should take a look at the CSLA framework for this specific need, as 
>> ~an option.
>>
>>
>> "Bill Fuller"  wrote in message 
>> news:%23GHj3gc3HHA.4712@TK2MSFTNGP04.phx.gbl...
>>> Here is the scenario. We will be writing a web application that will 
>>> need to sometimes properly handle sensitive data (salary, ssn, profit, 
>>> etc.) using roles. This data will be restricted at a macro level (for 
>>> example, no access to accounting modules unless authorized) and a more 
>>> granular level (no visibility, read-only, and read-update to certain 
>>> fields, such as personal information, depending on role).
>>>
>>> Question: Is there a good source of information on best practices for 
>>> handling this? For example, does it make sense to provide custom 
>>> controls for some/all of managed fields containing sensitive data?
>>>
>>
>>
>
>