Is the article "Designing Application-Managed Authorization" still relevant?

Topics: General discussion, Security Application Block
Jan 20, 2009 at 4:48 PM

I'm doing research on user authenticaion and RBAC for a enterprise level project we are starting. We will be developing with C#/.Net 3.5 and I don't want to start off on the wrong foot with something that is already out of date.

If I could ask a basic question...
Is application managed authorization the way to go for deployments where not all the users will be on a domain?
We have a stand alone Windows app (rich client) which may or may not be on a computer with network access. We need user authorization and RBAC to satisfy some security regulations in our industry. Some of our deployments will be at large installations where the machines will be on a domain and our application will communicate with a central SQL Server for data storage. We will also have many deployments on stand alone PCs with SQL Server Express running locally for data storage.  
I am assuming that the thing to do is to store the username/password and RBAC roles on the SQL Server.
It seems like there are tools in the Security Block and Authorization Manager to facillitate this.

Thank you for any advice.
Jan 21, 2009 at 11:01 AM
It is still relevant except that I think other technologies should be included, like for example, WCF. 

It's hard to tell, and should I say I'm not the best person to answer your question on how relevant it will be to implement it in your application but here's what Security Application Block could provide you.   You can definitely implement authorization based on roles with it.  If you're going to store the username and password, you just have to create an IPrincipal object out of it and you can already use the built in provider in it.  For a more detailed info, check out the documentation or see this tutorial..

Sarah Urmeneta
Global Technology & Solutions
Avanade, Inc.