How to design a system to filter requests on roles?

Question

I have requirement to design a WCF Service based system to filter requests on roles in C#

Rules
    User can access X
    SuperUser can access Y
    Admin can access Z

    Database
    Resource AccessControl
    X        User,SuperUser,Admin
    Y        Admin
    Z        Admin

How do I create a system where I can transform these accesscontrols into something like a hash or a calculated mathematical value so that I don't have do multiple checks like

If(user = RequestUser.Role.User||user = RequestUser.Role.Admin)
{}

Instead do something like this

 Resource AccessControl               someCalculatedHashValue
    X        User,SuperUser,Admin     ????
    Y        Admin                    ????
    Z        Admin                    ????

if(user >= someCalculatedHashValue){}

Note: there could be one to many relationshps

Answer 1

Can't you use a Bit Vector for your roles (i.e. a Flags enumeration)?

That way you can simply add up the bits as your "hash".

Answer 2

You could create a custom implementation of IPrincipal that implements IsInRole by wrapping the ranking logic you describe.

---

Now that I look closer at your question, it sounds awfully much like ACL-based security, and not role-based security at all. You may want to take a look at this instead.

Answer 3

You failed to provide details about the system. Depending on the technology used there are already proven and well-known techniques to manage just that (WCF for example gives you this for "free").

The samples are probably not complete either, because the way you presented it

User, SuperUser, Admin
Admin
Admin

this could be handled with a simple enum and an int comparison and an enumeration like this:

public enum Role {
  Anonymous,
  User,
  SuperUser,
  Admin
}

if (user >= (int)Role.User) ...

But that's probably far too simple and doesn't cover your real need? In short: Can you elaborate?