Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Best Practices for handling sensitve data in the UI

Reply
Thread Tools

Best Practices for handling sensitve data in the UI

 
 
Bill Fuller
Guest
Posts: n/a
 
      08-13-2007
Here is the scenario. We will be writing a web application that will need to
sometimes properly handle sensitive data (salary, ssn, profit, etc.) using
roles. This data will be restricted at a macro level (for example, no access
to accounting modules unless authorized) and a more granular level (no
visibility, read-only, and read-update to certain fields, such as personal
information, depending on role).

Question: Is there a good source of information on best practices for
handling this? For example, does it make sense to provide custom controls
for some/all of managed fields containing sensitive data?


 
Reply With Quote
 
 
 
 
George Ter-Saakov
Guest
Posts: n/a
 
      08-13-2007
I usually create "data class" that keeps all sensitive data takes 'security
level' as a constructor and exposes data using properties.
Like

class clsEmployee
{
void clsEmployee (int iLevel);
decimal Salary
{
get
{
if( iLevel != 1 )
return 0;
else
return _dSalary;
}
}
}

George.


"Bill Fuller" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Here is the scenario. We will be writing a web application that will need
> to sometimes properly handle sensitive data (salary, ssn, profit, etc.)
> using roles. This data will be restricted at a macro level (for example,
> no access to accounting modules unless authorized) and a more granular
> level (no visibility, read-only, and read-update to certain fields, such
> as personal information, depending on role).
>
> Question: Is there a good source of information on best practices for
> handling this? For example, does it make sense to provide custom controls
> for some/all of managed fields containing sensitive data?
>



 
Reply With Quote
 
 
 
 
Bill Fuller
Guest
Posts: n/a
 
      08-13-2007
Interesting... I like that idea. Simple and elegant.

Thanks.

"George Ter-Saakov" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I usually create "data class" that keeps all sensitive data takes
>'security level' as a constructor and exposes data using properties.
> Like
>
> class clsEmployee
> {
> void clsEmployee (int iLevel);
> decimal Salary
> {
> get
> {
> if( iLevel != 1 )
> return 0;
> else
> return _dSalary;
> }
> }
> }
>
> George.
>
>
> "Bill Fuller" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> Here is the scenario. We will be writing a web application that will need
>> to sometimes properly handle sensitive data (salary, ssn, profit, etc.)
>> using roles. This data will be restricted at a macro level (for example,
>> no access to accounting modules unless authorized) and a more granular
>> level (no visibility, read-only, and read-update to certain fields, such
>> as personal information, depending on role).
>>
>> Question: Is there a good source of information on best practices for
>> handling this? For example, does it make sense to provide custom controls
>> for some/all of managed fields containing sensitive data?
>>

>
>



 
Reply With Quote
 
sloan
Guest
Posts: n/a
 
      08-13-2007

You should take a look at the CSLA framework for this specific need, as ~an
option.


"Bill Fuller" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Here is the scenario. We will be writing a web application that will need
> to sometimes properly handle sensitive data (salary, ssn, profit, etc.)
> using roles. This data will be restricted at a macro level (for example,
> no access to accounting modules unless authorized) and a more granular
> level (no visibility, read-only, and read-update to certain fields, such
> as personal information, depending on role).
>
> Question: Is there a good source of information on best practices for
> handling this? For example, does it make sense to provide custom controls
> for some/all of managed fields containing sensitive data?
>



 
Reply With Quote
 
Bill Fuller
Guest
Posts: n/a
 
      08-13-2007
I never heard of this, but a quick google on it looks promising.

I see the framework has support for Remoting. Do you know if it has been
extended to support WCF?

Also, do you know if it will complement Enterprise Library blocks? (Logging,
security, database, etc.)

"sloan" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> You should take a look at the CSLA framework for this specific need, as
> ~an option.
>
>
> "Bill Fuller" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
>> Here is the scenario. We will be writing a web application that will need
>> to sometimes properly handle sensitive data (salary, ssn, profit, etc.)
>> using roles. This data will be restricted at a macro level (for example,
>> no access to accounting modules unless authorized) and a more granular
>> level (no visibility, read-only, and read-update to certain fields, such
>> as personal information, depending on role).
>>
>> Question: Is there a good source of information on best practices for
>> handling this? For example, does it make sense to provide custom controls
>> for some/all of managed fields containing sensitive data?
>>

>
>



 
Reply With Quote
 
sloan
Guest
Posts: n/a
 
      08-13-2007
He was at my user group meeting a few weeks ago.

And he said it had been WCF enabled, as a DataPortal channel option.

If you buy the book, it'll be just the 2.0 version.

I think you can buy a supplement book from his website, and that's where you
get the extra stuff.

Check the DotNetRocks website, they had a good interview with Rocky as well,
where he in plain english discusses some of his framework.


I'm not using the CSLA currently, so I don't know about the Ent Lib Block
integration.
But odds are, it'll work fine. Rocky is very aware of "what's out there".





"Bill Fuller" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I never heard of this, but a quick google on it looks promising.
>
> I see the framework has support for Remoting. Do you know if it has been
> extended to support WCF?
>
> Also, do you know if it will complement Enterprise Library blocks?
> (Logging, security, database, etc.)
>
> "sloan" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>>
>> You should take a look at the CSLA framework for this specific need, as
>> ~an option.
>>
>>
>> "Bill Fuller" <(E-Mail Removed)> wrote in message
>> news:%(E-Mail Removed)...
>>> Here is the scenario. We will be writing a web application that will
>>> need to sometimes properly handle sensitive data (salary, ssn, profit,
>>> etc.) using roles. This data will be restricted at a macro level (for
>>> example, no access to accounting modules unless authorized) and a more
>>> granular level (no visibility, read-only, and read-update to certain
>>> fields, such as personal information, depending on role).
>>>
>>> Question: Is there a good source of information on best practices for
>>> handling this? For example, does it make sense to provide custom
>>> controls for some/all of managed fields containing sensitive data?
>>>

>>
>>

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Exception handling best practices? csharper ASP .Net 4 10-20-2010 10:41 PM
error handling best practices MaksimKneller C++ 22 08-26-2010 04:48 PM
dell laptop, "a' key is way too sensitve, problem KOS Computer Support 7 05-24-2009 05:39 AM
Error Handling - Best Practices =?Utf-8?B?U2FuZHk=?= ASP .Net 4 05-07-2005 03:08 PM
SECURITY: Best Practices for Handling Connection Strings Ryan N. ASP General 2 02-11-2004 07:03 PM



Advertisments