I have searched around and I can’t find any particular answer that addresses what I am asking but no doubt it will have been mentioned already somewhere.
I know that when you inherit from an abstract System.Web.Security.RoleProvider you override this method public abstract string[] GetRolesForUser(string username);
and as the name of the method (GetRoles) and it’s return value (string[]) implies, more than 1 role can be returned for a single user, but it could also be restricted to a single item array through a custom role provider.
In my situation I am implementing this in a .NET MVC web app and using a custom .NET role provider, and I have a decision to make as to whether I should allow a user to be in more than 1 role at a time.
I am looking for any general reasons for/against doing this (most specifically implementation reasons).
Most of the points I can think are app domain specific, here are a couple…
- Deciding which role permissions take priority i.e. what to do when 1 role authorizes a particular action and another is supposed to deny it but both roles are assigned to the same user.
- Whether to allow users to switch in and out of their roles or to only ever assign 1 role to them and have an administrator change this.
but is there any particularly bad reason why you should avoid giving a user multiple roles at a time? Is it better to give a user only 1 role?
Roles are one of those things that is strongly domain-dependent. In other words, you assign someone to a Role because that’s the role they play IRL.
If you don’t allow roles to overlap, you can find yourself in the uncomfortable position of creating “hybrid” roles that encompass multiple responsibilities, for example creating a role that solely describes the “QA Supervisor/Code Administrator/Floor Sweeper” guy.
If you allow multiple roles, you can just assign those three roles, and you’re done.
Resolving role conflicts is easy enough; you just decide which one takes precedence, or you assume “deny” unless a specific permission is granted. Users don’t normally assign roles to themselves; someone higher up in the food chain has to do that.
5