Implementing access rights and security in winforms/wpf [closed]

Question

Closed. This question needs details or clarity. It is not currently accepting answers.

---

Want to improve this question? Add details and clarify the problem by editing this post.

Closed 8 years ago.

Improve this question

Before I implement access rights and security for an application by copying the implementation of roles in windows and on user creation, each user must be assigned a role to limit his rights (note that i store data on a database which is i dont know if good or not). I don't know if this is how windows do it. So I want to ask how this is done professionally and securely in .NET. Any diagrams of process flow will be much appreciated.

Answer 1

Sounds fine, that is what most system I work on do in one form or another. Using Windows users you can be as sure as you can be it is indeed the user logged on to Windows. (Still not 100% though, someone else could logon as guest use a tool to modify the memory where the user name is stored in your app to impersonate them).

How safe is it? Well only as safe as the weakest link: how safe is the data in your database, how safe is the information travelling over the network, how safe is physical access?

What you do not specify is how you control access to the data, one measure you can take to make it safer is control access back-end rather than at the application level. e.g. Rather then downloading all data then limiting it bassed on the current user, pass the current user info to the back-end an only return the data they are allowed to see, that way they cannot circumvent your application level security e.g. by eavesdropping the network or modifying the application at runtime (e.g. for WPF see Snoop) or modifying actual binary - for which one technique of mitigating is using signing...