I'm putting together an intranet site for our company. The administration wants complete control over everything. Basically, they want the ability to create "policy groups" at whim, and for each group, assign what they can do. For example, View Users, Edit Users, Add New User. What I've seen for .Core's authorization scheme, is that you can hardcode which group or users can use what controllers/actions. However, since this is all dynamic, I don't want that.
I've been thinking about creating an custom attribute, that will contain an specific ID, for each action. For example:
[HasPermission(1)]
public ActionResult ViewUsers(){}
[HasPermission(2)]
public ActionResult EditUsers(){}And then in the database, I will assign 1=View Users, 2=Edit Users, etc... then they can assign groups to each record... simple database stuff.
So, if a user belongs to a group that has access to 1 and not 2, they will be limited to use ViewUsers and not EditUsers.
I want to know if this makes sense, or is there a better way of doing this. Again, we're talking about a lot of controllers/actions that they want to assign users to, and create/manage/delete policy groups at their whim.
Thanks for any imput!