{"id":215,"date":"2007-01-22T00:00:00","date_gmt":"2007-01-22T00:00:00","guid":{"rendered":"https:\/\/test.simple-talk.com\/uncategorized\/controls-based-security-in-a-windows-forms-application\/"},"modified":"2021-04-29T15:28:29","modified_gmt":"2021-04-29T15:28:29","slug":"controls-based-security-in-a-windows-forms-application","status":"publish","type":"post","link":"https:\/\/www.red-gate.com\/simple-talk\/development\/dotnet-development\/controls-based-security-in-a-windows-forms-application\/","title":{"rendered":"Controls Based Security in a Windows Forms Application"},"content":{"rendered":"

One of my clients wanted to be able to restrict any given control, on any form, so that it is either invisible or disabled based on who is using the form. We decided to make the restrictions “roles-based” – that is “managers can click this button, users can see it, but to guests it is invisible.”<\/p>\n

We wanted to build an architecture that would allow us to add forms and controls to the application without deciding in advance which roles we would use, and without having to modify the forms or controls to meet the needs of the security architecture any more than absolutely necessary. The ideal security architecture would be independent of the participating forms and controls<\/b>.<\/p>\n

In this article, I will review the approach I took, focusing on the nitty-gritty code used to make this work, and the challenges faced in creating such an application quickly (their budget for this was 4 days). This article takes you as far as saving the users, roles and the permissions those roles have for the various controls. It does not<\/i> implement login and so it does not implement any of the checks to see if the logged in user should be restricted in access to the controls on any given page. All of that is left as a (dare I say?) fairly straight-forward exercise for the reader.<\/p>\n

The full source code for this article is available for download. Simply click on the CODE DOWNLOAD<\/b> link in the box to the right of the article title. It is also available on the author’s website<\/a>.<\/p>\n

NOTE<\/b>:
\nThis article is targeted at .NET 2 programmers already familiar with C# and .NET Windows Forms. I do not explain how to create forms, or how event handling works, nor do I explain how to interact with a SQL database.<\/i><\/p>\n

Users and roles<\/h2>\n

There are many security schemes that have evolved over time, but the one which has proven most successful, at least in the Windows world, is that of Access Control Lists (ACLs) now most commonly referred to as Users<\/b> and Roles<\/b>. We see this most cleanly and starkly implemented in ASP.NET, though it presents a bit more of a challenge with Windows Forms applications that will be used by a very large number of users. (One approach is to use the ASP.NET authentication support, accessing it through a web service.)<\/p>\n

NOTE<\/b>:
\nSee, for example, my articles on creating <\/em>users <\/em><\/a>and <\/em>roles <\/em><\/a>on O’Reilly Windows DevCenter (though today I would re-write these articles to use the Web Site Administration Tool accessed from Visual Studio under Website-> ASP.NET -> Configuration.<\/em><\/p>\n

My client had their own authentication system (as part of their larger in-house system) and to keep this article simple I’ll follow their lead and simply create a Users<\/b> table and a Roles<\/b> table and finesse the authentication.<\/p>\n

Roles and controls<\/h2>\n

To decide if a user has “access” to a control (which will be defined as meaning the right to see a control or to invoke the control) we’ll create two additional objects:<\/p>\n