Software Engineering, Project Management, and Effectiveness
What are the key steps to designing an effective authentication and authorization strategy? The keys are knowing your user stores, role stores, and who need to access what or perform which operations. In this post, I share the approaches we've used in two of our patterns & practices guides. These are the approaches we've used to help customers design successfully design their authentication and authorization approaches.
Designing an Authentication and Authorization Strategy - v1When we first wrote Building Secure ASP.NET Applications, here's the meta-process we came up with for working through your authentication and authorization strategies:
For elaboration, see Authentication and Authorization.
Designing an Authentication and Authorization Strategy - v2 When we recently wrote Improving Web Application Security, we made some revisions:
Personally, I've found it really cuts to the chase if you start with your user stores and role stores, since they tend to be somewhat fixed.
IdentitiesWhen you think through the identities, I've found it helpful to think in terms of who needs to access which resources or perform which actions. Consider the following:
Resource TypesWhen you think through the resource types, I find it helpful to think in terms of:
Authorization StrategiesWhen thinking through the authorization strategies, I find it helpful to consider:
Resource Access PatternsWhen thinking through the resource access patterns, I find it helpful to consider:
Designing authentication and authorization can be a gnarly topic. I hope the scaffolding above helps you find a path that works for you.
Why do you say "identities" instead of accounts?
I tend to think of accounts as implementation of my identities.