Lab 06: RBAC Implementation Report

Back to Lab 06 Dashboard

1. Introduction

This lab implements Role-Based Access Control (RBAC) for Pine Valley Furniture web interfaces built in previous labs. The solution defines role metadata in the database, authenticates users by role, and enforces page-level access controls.

2. Part (a): Database Schema Enhancement

The RBAC schema is implemented in rbac_schema.sql with the following changes:

• ROLE_t: New role master table for admin, staff, and customer.
• Users: Extended with Role_Id and Customer_Id columns.
• Foreign Keys: Users.Role_Id -> ROLE_t.Role_Id and Users.Customer_Id -> CUSTOMER_t.Customer_Id.
• Backfill: Legacy User_Role values are mapped to Role_Id for compatibility.

3. Part (b): Interface Code Updates

The following interfaces were updated to enforce RBAC behavior:

• Login.aspx.vb: Uses parameterized authentication query and resolves effective role from ROLE_t.
• Products.aspx.vb: Enforces authenticated access before page load.
• Orders.aspx.vb: Restricts customer role to its own Customer_Id; staff/admin can select any customer.
• Payment.aspx.vb: Allows only recognized roles (admin, staff, customer).
• Catalog.aspx.vb: Enforces admin-only access and redirects unauthorized users.
• UserRegistration.aspx.vb: Requires valid authenticated session.

4. Part (c): Test Cases

RBAC test cases are documented in rbac_test_cases.md. They verify:

• Valid login for admin/staff/customer.
• Invalid login handling.
• Admin-only catalog access.
• Customer order ownership enforcement.
• Session-based protection for unauthorized direct URL access.

5. Summary

This implementation delivers a repeatable RBAC setup with database-level role modeling, secure login handling, and interface-level authorization checks for key workflows.