Configuring Application Security

Most applications serve a variety of constituents – customers, customer service, marketing, sales, and management, to name a few.  With broad use comes a need to partition data according to the user type – and sometimes down to the individual user as well.

One of the most convenient security mechanisms is role-based security because it allows individual users to be assigned into roles, and then access granted at the role level.  This makes for convenient administration because most applications need just a handful of roles – 5 or 10 at most – but may have thousands of users.

Broadly speaking, Iron Speed Designer creates two types of role-based security:

  1. Simple sign-in authentication.  Application users must sign into the application.  Only users with user names and passwords can sign in, giving you control over who can access your application.

  2. Role-based authorization.  Individual web pages are configured to accept users who have one of several designated roles.

With role-based security, you can:

Authentication (who can sign in)

Simple sign-in authentication distinguishes between users who are signed in and those are not.  Users who are not signed in are called anonymous users.  Because of the flexibility in Iron Speed Designer’s role-based security model, you can grant access to individual pages to either signed in or anonymous users, or to both signed in and anonymous users.  This is very useful when you want your application to present one view of your data to a signed in user and a different view, perhaps more limited, to users that haven’t signed in or don’t have an account (anonymous users).

Simple sign-in authentication distinguishes between users who are signed-in and those who are not (anonymous users).

All that is needed to configure sign-in authentication is a single source containing your application users’ user name and password information.  For example, configuring simple sign-in authentication is straightforward with Database Security, one of several security mechanisms offered by Iron Speed Designer:

Step 1:  Configure the role-based security by selecting the proper fields from the selected database table.

Simple sign-in security requires just a single database table (Database Security option) with basic user name and password information.

Step 2:  Specify page-specific access rights.

Step 3:  Build and run your application.

Authorization (role-based access control)

In more sophisticated role-based security systems, users can be assigned multiple roles, effectively giving them broader access than would be granted by a single role.  A simple example is that every customer service representative may not be authorized to access customer credit card data.  In this example, the customer service supervisor has one role as a "rep" with access to customer account information, and a second role as "manager" with authorization to issue refunds or credits.  Ideally, those roles are accessible simultaneously without requiring the user to log in under a second role.

Multiple-role authentication distinguishes between different classes of users based on their assigned role.  Individual application users can have multiple roles assigned to them, and individual web pages can be configured to permit access by multiple roles.

Configuring multiple-role authorization is straightforward (Database Security option):

Step 1:  Configure role-based security by selecting the proper fields from the selected database tables (user name, password, user ID, the role information and the User Role information.)

Multiple role security requires several database tables (Database Security option) with basic user name and password information.

Step 2:  Specify page-specific access rights.

Step 3:  Build and run your application.

Putting it all together

Iron Speed Designer’s Application Security Wizard automatically adds end-user authentication (sign-in) and authorization (role-based access control) as standard features to your applications.  You assign any number of roles and give access to any number of roles to each user.

For the Database Security option, for example, your sign-in feature is based on your own user table in your database and you can quickly secure individual pages to specific roles via the Application Security Wizard.  Specifically, Iron Speed Designer supports:

See Also

Step 1:  Select Application Security Type

Step 2:  Enter Active Directory Connection String

Step 3:  Select the User Table (Database Security)

Step 4:  Select the Roles Table (Database Security)

Step 4:  Select the Policy Store Role Provider (AzMan Security)

Step 4:  Select the Roles (SharePoint Security)

Step 5:  Assign Page Permissions

Step 6:  Configure Individual Controls for Role-Based Security

Step 7:  Configure the ForgotUser.aspx page

Administering Database Security at Run-Time

Displaying Data for Logged In Users

Retrieving Forgotten Sign In Information

Configuring Automatic Sign-Out

Configuring Forgot Password Functionality

Configuring Your System for Application Security