Authorization Help

Topics: Building and extending application blocks, General discussion, Security Application Block
Aug 22, 2008 at 8:23 PM
Information about my program
My winforms app has 30,000 users.  These users are split up into 1000 companies.  There are 30 different "actions" in the program that are only allowed to different users.  For example, only certain users are allowed to see a certain button on a form.
So, each company has an admin and can setup the permissions for each user in their company. (User A can see the button, User B can not see the button, etc)


I'm having a hard time designing this and trying to fit it into the EL Security paradigm. 

Would each user have a different role?  (That would be 900,000 roles)
I guess each of the 30 actions would be "rules"?
Then, if say, 20,000 users have permission to see Button A, would I have to setup 20,000 entries within the Button A rule?  (like: <add name="Button A Rule" expression="I:UserA OR I:UserB OR I:UserC OR .............(20,000 times)" />

I would really appreciate any help, thanks!
Aug 25, 2008 at 1:13 PM

The purpose of roles is to decouple your rules from the actual users and actions. You wouldn't assign a role to each user/action pair; instead you would define the roles that make sense for your app (admin, approver, data entry, etc...) and configure each user with the roles that make sense for them. For 30 actions I could see between 10 and 20 roles.

Aug 25, 2008 at 2:36 PM
Ok, it sounds like my requirements (each users permissions can be fully customizable) don't fit into the EL Authorization paradigm.  I believe I'll have to write something from scratch, which is ok, I just love using EL.

Thanks for you help.
Aug 25, 2008 at 3:03 PM


You may want to give plain AzMan a chance; it has more features than those exposed by EntLib's AzMan provider.