I'm not an expert in the code for security, but let me ask if this is a valid approach:

Objective: User attempts to login (UserID/Password? or Windows Authentication). If successfully authenticated, then the system will retrieve the projects and roles within those projects for which they are authorised.

Assumptions:

1. All Users must be authenticated before the application attempts to retrieve their roles.
2. There are two classes of users - Enterprise Users who have access to all projects and Project Users who have access only to one or more projects. Question: Does the Enterprise User have access to all roles within every project?

It seems to me that you would setup Project and Role tables (Enterprise Project would be null or a specifically defined value). In your login code, the User Roles would be retrieved.

As Trent suggested, keep it simple and remember that all users must be authenticated before the roles are retrieved.

Regards,

Flavelle

That was our first attempt, that enterprise users have access to all roles within all projects. Unfortunately, that is not the case. Think of it really as more there are enterprise roles and project roles. Enterprise roles are for data that is defined as an enterprise level. Most would only be able to see the data, a few would be charged with maintaining it. A user could actually have both kinds of roles. I.e. they have project level access for project level data, but they also happen to be an expert in some enterprise area and have an enterprise role for that one area. E.g.



Bill is an expert with the Acme Process Certification, which is used to certify a process as meeting a set of standards. Entering and editing standards data is an enterprise level role and Bill has this role, so he can maintain the Acme Process Certification standards.



However, Bill also works on projects, helping clients define processes. In this case, his role related to entering/editing processes (and his access to any project) is defined by project. He might be working on 1 or maybe two projects at a time, so he has access to those two projects.



BTW, I have a working system to handle this now. I'm using a custom login form, that calls a custom class that handles the details. The original question of this post was how to determine if a user had a specific permission when they are not yet the logged on user and the answer to that is to authenticate them, which returns a user BO, which can be used to create a LoggedInUser, which can be used to check a permission.



Thanks for the help and suggestions. I'm always looking for ways to make it simpler...it those darned users who are making this complicated!