Portal Engine Questions on portal engine and web parts.
Version 7.x > Portal Engine > Multiple roles per user per account View modes: 
User avatar
Kentico Legend
Kentico Legend
Brenden Kehren - 3/21/2013 11:32:26 AM
   
Multiple roles per user per account
I'm working through a problem and not sure if I have a solution so figured this was the best place to ask. My website is setup to enable a single user to view multiple credit card account transactions based on an account selector. Permissions for each credit card account can vary. For instance on card 1, I could be the primary account holder and have access to view pages 1 -5. But on card 2, I am the secondary account holder and can only view pages 2 and 3. But when I switch back to card 1 I can see all pages.

I went down the roles road and came across a road block because roles are calculated. I thought about setting an access level with the user account and card account although not sure how I can use the built in security roles then. Can I change a users role on the fly for just that session without it affecting anything after they log out?

User avatar
Member
Member
egarrison-wte - 3/21/2013 11:51:27 AM
   
RE:Multiple roles per user per account
In my experience the lower role overrides. That may cause a problem if your Card #2 is not setup for 1+2. You may need to create a role for each combination.

1 Only
2 Only
1 + 2

Normally this is where I would pass values to Custom SQL Datasource and do the check by joining back to the member table.

As you know from my other post, I am not sure about the alter role.


User avatar
Kentico Support
Kentico Support
kentico_jurajo - 3/23/2013 12:25:24 PM
   
RE:Multiple roles per user per account
Hi,

If user is in two roles which have set different permissions for the same object - one allowed and other role is denied, the denial permission always takes higher priority as in other systems. It is safer to deny something "by accident" than allow it.

In this case, changing roles on the fly - this would require some complex customization and maybe also changes in the membership provider.

Best regards,
Juraj Ondrus

User avatar
Kentico Legend
Kentico Legend
Brenden Kehren - 3/23/2013 1:09:17 PM
   
RE:Multiple roles per user per account
Thanks Juraj. So you see my delima now. The problem is when this user logs in they are authenticated and permissions take place by the role they are assigned to BUT if they select a different card account with greater access permissions, they will be denied even though they have the allow permissions granted.

Here is a matrix:

User1 Role1 Card1 (primary card holder)
User2 Role1 Card2 (primary card holder)
User2 Role2 Card1 (secondary card holder, card 1)
User3 Role2 Card1 (secondary card holder, card 1)
User3 Role2 Card2 (secondary card holder, card 2)

For the above Role1 is a primary, all access granted role. Role2 is a restricted role.

User1 can log in and see what they need without issue.

User2 can log in and by default Card2 is selected and since they are in both Role1 and Role2, they don't have all access to Card2 as they should because Role2 takes over. Once User2 switches to Card1, then the things are correct, but when they switch back to Card2, they are still restricted and they shouldn't be.

User avatar
Kentico Legend
Kentico Legend
Brenden Kehren - 3/27/2013 12:29:06 PM
   
RE:Multiple roles per user per account
Is there a way I can setup a module with my own permissions based on a security role and make this work? If so, how might I go about checking that?

User avatar
Kentico Support
Kentico Support
kentico_jurajo - 3/27/2013 1:29:43 PM
   
RE:Multiple roles per user per account
Hi,

You can set the permission names for your custom module (in the module definition in Site Manager -> Development -> Modules -> module -> Permissions names) and then check them in the code of the module according your rules. Or, maybe if you won't inherit the module code from the CMS class it may help too to overcome default permissions check.

Best regards,
Juraj Ondrus

User avatar
Kentico Legend
Kentico Legend
Brenden Kehren - 3/27/2013 3:07:14 PM
   
RE:Multiple roles per user per account
kentico_jurajo wrote: Or, maybe if you won't inherit the module code from the CMS class it may help too to overcome default permissions check.
Not sure I understand what you mean here. Aren't permissions for a module based on a user or a role? Either way, I think I'm still stuck. I think I need a third piece in order to make the permissions work properly on the fly.

If user is already authenticated and has access to pages, webparts, etc based on roles and security how could I even use the module permissions to set access when a user selects an account with lesser permissions? Just doesn't seem feasible without all kinds of coding.

User avatar
Kentico Support
Kentico Support
kentico_jurajo - 3/30/2013 12:45:44 PM
   
RE:Multiple roles per user per account
Hi,

What I meant is when you are creating a custom module page, you are inheriting from CMSToolsPage class - there is the security check implemented too. So, you may not inherit from this class - but then also you will miss other features probably.

Adding the logic you want would probably require a complex customization or maybe also fully custom membership provider.

Best regards,
Juraj Ondrus

User avatar
Kentico Support
Kentico Support
kentico_jurajo - 3/27/2013 1:27:33 PM
   
RE:Multiple roles per user per account
Hi,

I see - but the denial permission takes precedence also in other systems or, you need to explicitly set the permissions for given user or create a separate role. Also file system permissions work in similar way.

Best regards,
Juraj Ondrus