[ScottinTexas]

Suppose you have a class Employee which has the employees name, phone, and social security number. All employees would be allowed to get the name and phone number of any employee, but only payroll should have access to the employee's SSN. You wouldn't have multiple classes for each level of authorized access. So how can you write a class that checks for access level before giving up information?

I thought of an enumerated variable that is set when a user logs in, such as GOD would allow all access to everything and RECEPTIONIST would allow access to a very limited amount of employee information.

What is your method?

[modi123_1]

Yes that's a good way of doing it. You have specific roles, areas of access, and access levels. Roles are just handy names to apply to people... areas would be things like "employee search, ssn, etc".. and yes.. access levels would be an enumerated number (no access = 0, read = 1, read/writer = 2).

[Sergio Tapia]

Here's a database schema I use for all my web applications (This could work in Winforms as well):

create table Account
(
        AccountId int primary key identity(1,1),
	SummonerName nvarchar(1024) not null,
	Email nvarchar(2048) not null,
	[Password] nvarchar(64) not null,
	DateOfBirth DateTime,
	RegistrationDate DateTime,
	Firstname nvarchar(1024) not null,
	Lastname nvarchar(2048) not null
)

create table [Role]
(
	RoleId int primary key identity(1,1),
	Name nvarchar(512) not null
)

create table AccountRoles
(
	AccountRolesId int primary key identity(1,1),
	RoleId int foreign key references [Role](RoleId),
	AccountId int foreign key references Account(AccountId)
)

Basically you create Roles, and assign a user N roles.

The downside of this is that you can only modify which roles a user has, not what a role can do. For my use cases this is good enough as I don't need to change what a role can do at runtime. I just hand code the permissions of a role in code, such as:

[Role(Roles = "ContentEditor,Administrator")]
public class DashboardController : Controller
{
    public ActionResult Index()
    {
        return View();
    }
}

[tlhIn`toq]

Roles like that are common, but force you to group people. Try to plan ahead enough so when your boss says: "I need John Smith to be able to see just this one property" or "I need Joe Blow to be both an Admin and an HR member"

I like to do something along these lines:

public class EmployeePermissions()
{
   public CanSeeSSN {get; set;}
   public CanEditSSN {get; set;}

   public CanSeeDOB {get; set;}
   public CanEditSSN {get; set;}

   public CanSeeWages {get; set;}
   public CanEditSSN {get; set;}

   public CanPrintRecords {get; set;}
   public CanExportRecords {get; set;}

   public CanMakeNewRecords {get; set;}
}

public class EmployeeHR()
{
    public EmployeePermissions persmissions = new EmployeePermissions(){
           CanMakeNewRecords = false; //Only a supervisor can do this
           CanSeeSSN = true;
           CanEditSSN = false; // Supervisor only
           CanPrintRecords = true;
           CanExportRecords = false;}
}

Now you can assign default permissions by type, but a manager could have the ability to grant special permissions for one thing, to one person.

[ScottinTexas]

Thanks you guys. Both answers are excellent. I was reading C# For Programmers when this question entered my brain. Their example class, of course, didn't deal with this and I was wondering how y'all would treat it.

Thanks again,