Imagine an ASP.Net 2.0+ app that uses the built-in role-based security to restrict users to certain pages or actions.
Further suppose that rules exist that restrict individual users to subsets of data based on the user’s attributes (however those are implemented). For example, a manager can only look at performance history for his or her own subordinates. A sales manager can only look at sales target achievement information for his or her own sales reps. A sales rep can only look at pending orders for his or her own customers.
These rules affect how dropdowns and other multi-record displays are filled, and also what values can be typed in to textboxes for search and lookup purposes. There are many other possible functions and screen types that could potentially be affected. So this is a cross-app concern.
My question: what kind of patterns or techniques would make implementing such restrictions across an application easier?
Consider using your own custom attribute for these cross cutting concerns and implement possibly with a claims based identity system (ex. IClaimsIdentity – Windows Identity Foundation) for required attributes.
Since you are controlling data here based on users – I would also look into the Model View Presenter pattern for webforms since you are binding data, etc.
See: http://msdn.microsoft.com/en-us/library/ff647117.aspx
This allows you to better test your output based on whatever defined permissions you have and provides a better way to track your bindings to combo boxes, etc. than sticking a bunch of junk in your code behind.