Designing an Authentication and Authorization Strategy - J.D. Meier's Blog - Site Home

What are the key steps to designing an effective authentication and authorization strategy? The keys are knowing your user stores, role stores, and who need to access what or perform which operations. In this post, I share the approaches we've used in two of our patterns & practices guides. These are the approaches we've used to help customers design successfully design their authentication and authorization approaches.

Designing an Authentication and Authorization Strategy - v1
When we first wrote Building Secure ASP.NET Applications, here's the meta-process we came up with for working through your authentication and authorization strategies:

Identify resources
Choose an authorization strategy
Choose the identities used for resource access
Consider identity flow
Choose an authentication approach
Decide how to flow identity

For elaboration, see Authentication and Authorization.

Designing an Authentication and Authorization Strategy - v2
When we recently wrote Improving Web Application Security, we made some revisions:

Identify your user stores.
Identify your role stores.
Identify resources you need to access and operations you need to perform.
Identify which identities need to access the resources and perform the operations.
Choose your authentication and authorization strategies.

Personally, I've found it really cuts to the chase if you start with your user stores and role stores, since they tend to be somewhat fixed.

Identities
When you think through the identities, I've found it helpful to think in terms of who needs to access which resources or perform which actions. Consider the following: