The past few weeks have been challenging in an interesting and fun way. We are on track to release version 2.6 of our Content Management System and finally decided it was time to overhaul our security framework. We are moving from a simple role based architecture to a framework that supports the following:

• Roles
• Permissions
• Ability to assign Permissions to Roles
• Ability to assign Supplemental Permissions to Users external of Roles
• Ability to assign Roles to Users
• Ability to grant/deny access down to the control level
• Reverse capability of locking individual elements down by assigning Roles/Permissions to user created elements

In working on this there have been LOTS of questions as you can imagine. Here are a few resources I found useful and/or interesting while working on this implementation.

• I am a regular reader of the .NET Security Blog and found the CAS and CLR discussions pertaining to .NET 4 interesting.
• I found a nice way to get a flattened hierarchy of controls on a page over at the Vault of Thoughts. We implemented something similar but with a few additions.
• Here is a good read on general role based security.

Derek Bemis