Click here to Skip to main content
15,073,599 members
Articles / Web Development / HTML
Posted 27 Jan 2016


167 bookmarked

Cool Privilege Control System Part 1 -- ASP.NET MVC

Rate me:
Please Sign up or sign in to vote.
4.99/5 (84 votes)
18 Jul 2016Ms-PL17 min read
Standalone Privilege Control, Single Sign-On Solution

Cool Privilege Control System Part 1 -- MVC

Cool Privilege Control System Part 2 -- MVC with WCF

Angular Single-Page Applications - Cool Privilege Control System


As we know, Privilege control is a common and basic mechanism. People would be allocated into different access's roles. Some of who can maintain sensitive information based on their role, and the other cannot. It is the same as the computer world. For example, Microsoft Window, a famous PC OS, it has a user management system in it, different users login with different access rights and operate different files or folders, the OS administrator can create different user accounts with different privileges. E.g. Ricky is an administrator and Jenny is a guest, both of who launch the system are based on their Login Name and Password, Ricky can control everything of the computer and Jenny does not have any permission except view right. In order to solve the complex cases, we need to develop a system to help us. It is also plain to see that the Privilege Right Control is a basic mechanism on the top of the other systems.


For Privilege Right Control is a basic mechanism, it should be implemented already. Many guys will have the following question "Why do you discuss here? Do you know to waste our times? ". And the answer I want to say is "No". As many year experiences, I have participated in developing many projects and most of those have its access right control except mini system. Take HR Management System as an example. HR Management System has a lot of sensitive information and there are many different modules in it. Such as ESS (Employee self-service), Leave module, Payroll module, Attendance module, and so on. All of those modules should have access right controls. In the past, we used to create different access right control systems for different modules. That means if a user named Jenny, she should have more than five accounts for this HR Management System. It is not only hard for Jenny to remember these accounts but also hard to maintenance. Furthermore, most of existing systems do not cover all the real cases. E.g. Jenny is a sales manager, she can only access people under her team and she cannot access other team colleagues. So today I introduce Cool Privilege Control for who has the same questions as I met.

Cool Privilege Control I designed is used to centralize function's and user's operations and resolve different access levels problems. It looks like Single Sign On system and it is based on MVC, but it is not limited on web application only, since I splitted the solution into many tiers, UI(User Interface MVC), BL(Business Layer) and DAL(Data Access Layer). It is easy to replace UI from MVC to Window Application (WPF) and combine BL with DAL into WCF. And if you are a MVC developer, cool privilege control does not only provide a single sign on solution to you, but also provide a prototype's scaffolding project to you.


  1. Resolve normal access control issues. (i.e. user and user role, function and function type).
  2. Resolve user with different organizations has different access levels problems.
  3. Provide powerful audit log, trace log and exception log.
  4. Easily and quickly create a prototype with privilege control and auto-generating menu.
  5. Support multilingual

Look And Feel

First of all, I captured some screens of the application in order to increase study concentration.

Figure 4.1(Login Screen)

Image 1

Figure 4.2(Function Management)

Image 2

Figure 4.3(Edit Login User)

Image 3

Figure 4.4(System Audit Log Management)

Image 4

It is pretty cool, right? Thanks Bootstrap! That is a beautiful UI toolkit which helps developer to cut down lots of work! From now on, we will go a little deep to analyze all of scenarios about access control in real life.


5.1 Scenario 1

System has many functions, each function has many function types (i.e. insert, update, import, export and so on), which can be assigned to different functions, That means Function A has a import method, Function B has a import method as well. So the relationship between function and function type is many to many. It is easy to describe the entity relationship as the following diagram.

Figure 5.1.1 Function and Function Type relationship

Image 5

Note: In the actual case, function structure maybe so complex. I used "000100010001" format to separate function levels. For example, function path "0001" indicates HR Module, there are many functions in it. Such as "00010001" indicates Staff Info Management, "00010002" indicates Salary Info Management, then "000100020001" and "000100020002" indicate Salary Info Maintenance and indicate Salary Review.

Figure 5.1.2 Functions Structure (HR Module)

Image 6

Based on the format "000100020002", we directly know the top menu which is named as "HR Module" by recursion. Each level has 9999 functions. Certainly, we can extend number length to increase function count for each level, if we use "000010000200002" format instead of "000100020002", then we can store 99999 functions for each level. Below figure shows the menu looks like.

Figure 5.1.3 Menu (HR Module)

Image 7

5.2 Scenario 2

Login user can be assigned to specific functions or specific roles. If a login user is assigned to multi roles, then the user can access all functions which defined in those roles. That means Role A has access right on Function A, Role B has access right on Function B, if both Role A and Role B are assigned to a user named "Ricky", then Ricky can access Function A and Function B. Below figure is the user-role entity relationship.

Figure 5.2.1 user-role relationship

Image 8

5.3 Scenario 3

Each user can be assigned to one or more specific organizations, if you do that, he/she can only be allowed to access his/her subordinates information. To resolve these problems, we should create a new entity called "Organization Detail" which helps system to store privileges for organization assignment. That maybe not easy to recognize. Take actual case as an example which is easy to be recognized.

  1. A user named "Angus" and his bussiness title is Project Manager and Sales Assistant Manager.
    Assume below settings.
    Read-only right on function "Function Management".
    Full access right on function "Login User Management" with Project Manager Level.
    Read-only right on function "Login User Management" with Sales Assistant Manager Level.
  2. A user named "Wells" is a member of project team.
  3. A user named "Michael" is a member of sales team.

Expect Result:

When Angus logined into the system, he can access two functions, one is "Function Management" and the other is "Login User Management". According to the settings, Angus only has search right and view right on "Function Management". Meanwhile, On function "Login User Management", Angus can insert/update/delete user's records which are project team members, however, he cannot insert/update/delete user's records which are under sale team members except view and search.

According to above case, we should set two organization details settings, the one is "ReadOnly" and the other is "Login User Full Access". Below screens show organization details settings.

Figure 5.3.1 Function Detail Setting -- ReadOnly

Image 9

Description: Organization Details named as "ReadOnly" has "Search" and "View" on Function Management.

Image 10

Description: Organization Details named as "ReadOnly" only has "Search" and "View" on Login User Management.

Figure 5.3.2 Function Detail Setting -- Login User Full Privilege

Image 11

Description: Organization Details named as "Login User Full Privilege" has full access right on Login User Management.

Figure 5.3.3 Login User Settings

Image 12

Description: A login user named "Angus" is assigned to two organization settings,
Project Team – Login User Full Access.
Sales Team – ReadOnly.

Figure Organization Structure

Image 13

Figure Organization Structure Settings

Image 14

Description: Previous organization settings use "000100010001" format to present the organization structure.

Figure 5.3.5 Login User List (All Users)

Image 15

After Angus logged in, he will see the following screens.

Figure 5.3.6 Function Management Screen

Image 16

Description: All Edit/Delete buttons in the previous screen are dimed. Because "Angus" only has view/search right on this function.

Figure 5.3.7 Login User Management Screen

Image 17

Description: As above screen described, both edit and delete button are dimed, in which login name is Angus or Michael, because Angus cannot maintain the users under Sale Team Member and himself, but he can maintain the users under Project Team.

Below figure show the ER diagram of the scenario

Figure 5.3.6 Entity Relationship of Scenario

Image 18


In order to fulfill MSSQL and MYSQL database developer, I publish two versions of the project. If you use MSSQL as default, please download "", otherwise, please download "". And I listed my development environment for your reference. If your local development environment is low than me, I suggest you should upgrade the environment first so that you can run the program successfully. If your local version is equal or above my development environment, there are no compatibility issues I trusted.

  1. Microsoft Visual Studio 2013
  2. .NET Framework 4.5.1
  3. MSSQL Server 2012 or MYSQL 5.6.26
  4. MVC 5.2.3
  5. Entity Framwork 6.0

Mandatory Step: After opened solution, please right click solution and select "Enable NuGet Package Restore".

Figure 6.0.1 Enable NuGet Package Restore

Image 19


6.1.1 For MYSQL user

Figure 6.1.1 web.config(MySql Version)

Image 20

Please pay attention to the appSettings node, change DBSource/DBName/DBPort/LoginName/LoginPWD value based on mysql server settings.

Property Description
DBSource: IP address of the server host
DBName: Database name
DBPort: Server TCP/IP port
LoginName: DB user name
LoginPWD: DB user password
IsDebug: If you set true, all exception will be showed on the page, and vice versa.

6.1.2 For MSSQL user

Figure 6.1.2 web.config(MSSql Version)

Image 21

The same as mysql user, change DBSource/DBName/LoginName/LoginPWD value based on mssql server settings, except DBPort. In mssql server, the port number can be specified after the server name or server ip address with comma. E.g.

WELLSCHEUNG\MSSQLSERVER2012,49287 49287 is the port.

Property Description
DBSource: IP address of the server host
With Port Format: server name or ip address,port
DBName: Database name
LoginName: DB user name
LoginPWD: DB user password
IsDebug: If you set true, whatever exception will be show on the page, and vice versa.

6.1.3 Enable or Disable DB initializer

That is the feature of entity framework code first design pattern. And it is the most useful I ever heard before. When you executed the project, if database instance did not exist in the server and the flag is enabled, entity framework would help you to initialize the db scheme. For more information please refer to MSDN( If you do not want to initial database automatically and cover your database, you can set the attribute "disableDatabaseInitialization" in context element to true.

Figure 6.1.3 disableDatabaseInitialization flag

Image 22

Alternative, you can initialize DB via sql script or database backup. I prepare sql script for mysql user to execute and database backup for mssql user to restore.

MySql Script ( Change file's extension to ".sql" )

MSSql Database Backup ( Change file's extension to ".bak" )

6.2 Edit Log4Net.config file

We use log4net to help us record the trace infos and the error infos. About how to use log4net, I though most of you had more experiences than me, so I do not want to spend many times on repeat. I only specified that all functions in the system enable trace log as default (i.e. Include both input and output information). That is an easy way to trace error even if we cannot run visual studio debug when onsite support.

It is easy to turn off or change another types of information which you wanted to capture. There are seven levels type which were pre-setted in log4net.

The following levels were defined as an increasing priority order

  • ALL
  • INFO
  • WARN
  • OFF

You can replace the value of the attribute "level" to above level in log4net.config.

Figure 6.2.1 Log4Net.config

Image 23

SysLog: Log all info of the system.
ErrorLog: Only log exception of the system.

As said before, previous settings will affect all the functions in the system. If you want to disable the logger individually. You can mark the function as "[UnTracerAction]" function, then the function will not be traced.

Figure 6.2.2 UnTracerAction Function

Image 24

If you only want to verify if the function is executed or not, except the detail information. You can mark the function as "[TracerActionWithDetails(EnableTracer=false)]" function.

Figure 6.2.3 [TracerActionWithDetails(EnableTracer=false)] Function

Image 25

Below capture screen demonstrate the result of previous different settings.

Figure 6.2.4 The log of tracer action without details

Image 26

Figure 6.2.5 The log of tracer action with details

Image 27

After previously settings, System is ready to use. Press "F5" in Visual Studio and double check if it has any compile errors or not. If any errors came out, you can send the error to me for inspection or search solution in google by yourself.

Next section, I will introduce functions in the system. Include create function types, create functions, create login users, create roles, create organizations, create access levels, assign functions to specific login user and so on.

How To Use

7.1 System Settings

1. Click sub menu "System Info Management" in main menu "Access Management".


2. Change values according to your requirement.


Key Description
Session Timeout(Seconds) Default value is 10 mins = 600 seconds. Cool Privilege Control has a seseion management mechanism which is relayed on session management mechanism, that means, if you change the value to 20 mins or more than 20 mins, any session will only alive in 20 mins without user operation. Because the idle time is 20 mins by default in If you want to set session timeout more than 20 mins, you must set the session timeout of bigger than session timeout of cool privilege control system. About how to change session timeout in please refer to . I used to extend session timeout to 60 mins.
Page Size Page size of each list page.
Maximum Page Numbers Showing in Page Bar Maximum Page Numbers Showing in Page Bar
Date Format Default Format: yyyy-MM-dd. E.g. 2016-01-21
Time Format Default Format: HH-mm-ss. E.g. 22:10:05
Password Policy It contains many rules. I think it cover normal usage and I don’t want to spend many times to explain each rule here. I trust all of you have ability to understand the rule.

7.2 Maintain Function Type

Cool Privilege Control allows user create function type directly. View, Search, Create, Edit, Delete, Export, Import, Preview and Process are the most frequency function types. To avoid wasteful duplication of effort, System would add these function types after db was initialized.

  1. Create Function Type

    1. Click Create Function Type button in bottom left of the Function Type Management page.
    2. Type Function Type. Such as "Generate".
    3. Click Save button.

  2. Delete Function Type

    Click Delete button of the record you wanted.

  3. Edit Function Type

    1. Click Edit
    2. Change Function Type.

    3. Click Save button.

7.3 Maintain Function

As section 5 described, Cool Privilege Control use "000100010001" format to separate functions. In theory, system supports unlimited function levels and 9999 functions for each function level.

  1. Create Function

    1. Click Create Function button in bottom left of the Function Management page.
    2. Type Function Key and Function Path select Function Type which belongs to this function.
    3. Click Save button.
  2. Delete Function

    Click Delete button of the record you wanted.

  3. Edit Function

    1. Click Edit button of the record you wanted.

    2. Change value and Click Save button.

7.4 Maintain Role

  1. Create Role

    1. Click Create User Role button in bottom left of the Role Management page.

    2. Type Role Name E.g. Admin

    3. Assign Function with Function Type to the new role.
    4. Click Save button.

  2. Delete Role

    Click Delete button of the record you wanted.

  3. Edit Role

    The steps are as the same as above section.

7.5 Maintain Organization

  1. Create Organization

    1. Click Create Organization button in bottom left of the Organization Management page.

    2. Type Organization Key. E.g. CEO

    3. Type Organization Path. E.g. 0001

      Image 39
  2. Delete Organization(Omitted)

  3. Edit Organization(Omitted)

7.6 Maintain Organization Details

  1. Create Organization Details

    1. Click Create Organization Details button in bottom left of the Organization Details Management page.

    2. Type Organization Details Key.

    3. Select Organization Details Type.

      There are two types of organization details. One is "Specific Functions", the other is "As Role Settings". You can assign specific function into it, or set as role settings.

      Figure 7.6.1 Specific Function
      Image 40
      Figure 7.6.2 As Role Settings
      Image 41
    4. Click Save button.

  2. Delete Organization Details (Omitted)

  3. Edit Organization Details (Omitted)

7.7 Maintain Login User

  1. Create Login User

    1. Click Create Login User button in bottom left of the Login User Management page.
    2. Type mandatory fields. Such as Login Name / Password / Confirm Password / Status.

    3. Select Login User Type.

      1. Specific Functions: Assign specific functions to the user.

      2. As Role Settings: Assign re-set roles to the user.

      3. As Organization Settings: Assign organization unit with correlative organization details to the user.
      4. Click Save button.

  2. Delete Login User (Omitted)

  3. Edit Login User (Omitted)

7.8 System Audit Log Management

In this function, you can retrieve all events recorded by system and filter what you want via selection criteria. More, you can export the log as excel file for inspection.


7.9 Authorized History Management


7.10 Multilingual

As first section mentioned, Cool Privilege Control is based on multi language design pattern. Currently, there are three languages in the system. English, Simplified Chinese and Traditional Chinese. We can extend language package via add resource file. I hope you can help me to add more language package into the system. You can send your resource file to my email( or, I will consolidate all resource files and inject into the system. Following section will talk about how to create localized version of resource files.

7.10.1 Create localized version of resource files

  1. Open project named "CoolAccessControlLangPack".

    We need to create three categories of resource files. There are FunctionRes.resx, lblCommon.resx and MsgRes.resx.

  2. In Solution Explorer right-click the project, point to Add, and then click New Item.

  3. In the Add New Item dialog box, select Resources File and name the file The file name indicates the language, German, and the country, Germany.

    File name format:

    <language-country><base file name>.<language-country>.resx

    If you do not know country code and language code. Please visit blew link

    We have to create three files for each language and each country.

  4. Open Resource Designer change Access Modifier to "No code generation" and copy all key-value pairs from base resource file to the new resource file.
  5. Translate all sentences in Value column to your local language.

  6. Save file and repeat the same action to create the remain files.

    i.e. lblCommon.xx-xx.resx

  7. Send the above three files to me ( or And I will consolidate other guy's resources and publish a new version with your language pack to the site. Thank ypu.

Testing Site

For guys who wants to test the system immediately or traces bug. I created a testing site. Please visit In order to protect our testing site, I have to lock the admin account and functions which function path starts with "0004". And the site data will restore in midnight of American East.

I set up many accounts for you to test.

Admin -- Administrator

Login Name: admin

Angus – Project Manager

Login Name: angus

Wells – Project team developer

Login Name: wells

Alice – Project team officer

Login Name: alice

Tim – Sales Manager

Login Name: tim

Michael – Sales

Login Name: michael

Test-driven development

Cool Privilege Control System is using the test-driven development (TDD) approach. For many companys, TDD is a mandatory approach in repetition development cycle. Cool Privilege Control System contains 40 test cases in all Controllers, you can easily test all functions by clicking "Run All" in Test Explorer. Certainly, you can add new test case or add new conditions into the orignial test case based on your requriements. Cool Privilege Control System uses Xunit and Mock. Xunit is a test framework and is injected into Visual Studio, as the same as MSTest and Nunit. For more infos, you can visit the official site.

Figure 6.0.1 Test Explorer

Image 50


Cool Privilege Control based on many interesting design pattern. Such as MVC, MEF, Entity Framework, jQuery and Bootstrap(UI). I am sorry I cannot introduce all of these design patterns to you in a short time. If you have any questions about Cool Privilege Control. Feel free and contact me. Thanks for your reading.


2016-01-22 Initial publication

2016-02-01 Change project from "Cool Access Control" to "Cool Privilege Control",Fixed bugs as well as display issue.

2016-02-02 Fixed download link's destination.

2016-02-08 WCF Service preparation

2016-03-01 Merge with WCF Service Version and add Testing project.

2016-07-18 Move the project to github.


This article, along with any associated source code and files, is licensed under The Microsoft Public License (Ms-PL)


About the Author

wells cheung
Software Developer (Senior)
United States United States
ASP.NET Developer 3.5(Microsoft® Certified Professional Developer)
.NET Framework 3.5, ASP.NET Applications(Microsoft® Certified Technology Specialist)

Comments and Discussions

QuestionThe added or subtracted value results in an un-representable DateTime. Pin
Member 1186643930-Jul-17 20:22
MemberMember 1186643930-Jul-17 20:22 
AnswerRe: The added or subtracted value results in an un-representable DateTime. Pin
Member 1186643930-Jul-17 21:27
MemberMember 1186643930-Jul-17 21:27 
QuestionHow can I remove donate button? Pin
Karim Pazoki7-Apr-17 22:57
MemberKarim Pazoki7-Apr-17 22:57 
AnswerRe: How can I remove donate button? Pin
Patrice T9-Apr-17 8:41
mvePatrice T9-Apr-17 8:41 
QuestionIs it Open Source ? Pin
Khalil79221-Jul-16 23:56
MemberKhalil79221-Jul-16 23:56 
AnswerRe: Is it Open Source ? Pin
wells cheung22-Jul-16 5:23
professionalwells cheung22-Jul-16 5:23 
QuestionMissing code Pin
zygons19-Jul-16 7:48
Memberzygons19-Jul-16 7:48 
PraiseThank you Pin
Member 1067628113-Jul-16 22:22
MemberMember 1067628113-Jul-16 22:22 
GeneralMy vote of 5 Pin
David Days12-Jul-16 6:58
professionalDavid Days12-Jul-16 6:58 
QuestionMissing references files not restoring Pin
Paris Pantigoso5-Jul-16 5:33
professionalParis Pantigoso5-Jul-16 5:33 
AnswerRe: Missing references files not restoring Pin
Paris Pantigoso5-Jul-16 7:33
professionalParis Pantigoso5-Jul-16 7:33 
GeneralRe: Missing references files not restoring Pin
wells cheung10-Jul-16 16:41
professionalwells cheung10-Jul-16 16:41 
GeneralRe: Missing references files not restoring Pin
Paris Pantigoso12-Jul-16 8:56
professionalParis Pantigoso12-Jul-16 8:56 
GeneralRe: Missing references files not restoring Pin
Jason Barden12-Jul-16 9:19
professionalJason Barden12-Jul-16 9:19 
GeneralRe: Missing references files not restoring Pin
Paris Pantigoso12-Jul-16 9:52
professionalParis Pantigoso12-Jul-16 9:52 
GeneralRe: Missing references files not restoring Pin
Jason Barden12-Jul-16 10:24
professionalJason Barden12-Jul-16 10:24 
GeneralRe: Missing references files not restoring Pin
Paris Pantigoso12-Jul-16 11:18
professionalParis Pantigoso12-Jul-16 11:18 
GeneralRe: Missing references files not restoring Pin
Jason Barden12-Jul-16 11:31
professionalJason Barden12-Jul-16 11:31 
GeneralRe: Missing references files not restoring Pin
Paris Pantigoso12-Jul-16 11:40
professionalParis Pantigoso12-Jul-16 11:40 
GeneralRe: Missing references files not restoring Pin
Jason Barden12-Jul-16 11:50
professionalJason Barden12-Jul-16 11:50 
GeneralRe: Missing references files not restoring Pin
Paris Pantigoso12-Jul-16 12:10
professionalParis Pantigoso12-Jul-16 12:10 
GeneralRe: Missing references files not restoring Pin
Jason Barden12-Jul-16 21:45
professionalJason Barden12-Jul-16 21:45 
GeneralRe: Missing references files not restoring Pin
Paris Pantigoso13-Jul-16 4:38
professionalParis Pantigoso13-Jul-16 4:38 
GeneralRe: Missing references files not restoring Pin
Jason Barden13-Jul-16 7:39
professionalJason Barden13-Jul-16 7:39 
GeneralRe: Missing references files not restoring Pin
Paris Pantigoso13-Jul-16 8:17
professionalParis Pantigoso13-Jul-16 8:17 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.