We are currently designing a User Roles and Permissions System in our web application (ASP.NET), and it seems that we have several cases that do no fit within the classical Role-Based Access Control (RBAC). I will post several questions, each devoted to a particular case, this being the first post.

We have the following case: not to allow a user view a certain page if the user lives in a particular city. This is a simple case that is coded in the following way:

if (User.City == “Moscow”)
// Allow the user to view the page.
else
// Do not allow the user to view this page.

Though this case is very simple and straightforward, it has nothing to do with the RBAC.

On StackOverflow, someone called this an Attribute-based Access Control.

Under the classical RBAC, it seems that this case should be designed like this: introduce a permission “City where the person lives”, this permission will have a property City. Then create a role, add a permission of type “City = Moscow” to it and the assign the role to the user. Looks extremely cumbersome.

The question is whether it is acceptable to introduce such non-RBAC approaches to our permissions system – does that break the design or not?

This might seem a primitive question, but we found that most applications use pure RBAC, and we started to think that we might be doing something wrong.

Thank you.