Complex authorization rules?

Topics: Security Application Block
Jun 27, 2008 at 8:48 AM
I would like to include complicated authorization in my app and store the information in ADAM or Active Directory.

For example,
An operation or task called 'CreateOrder' and include a maximum amount the user is allowed to create an order for of $500.
An operation or task called 'UpdateEmployee' and include logic that they must be the employee's supervisor.

As far as I can tell this logic can be added to ADAM/AD by attaching vbscripts to tasks and providing the required parameters at run time. There doesn't seem to be any way to enter additional information such as the limit is $500 for members of the role 'Clerk' when perfroming the operation 'CreateOrder'.

Does the kind of logic have to be implemented in my app instead?

It seems pointless to use the authorization block unless this level of complexity can be administered along with the basic permissions. If a user is to configure that another user may 'CreateOrders' then I would want them to be able to set the limit '$500' at the same time.

Help!
Jun 27, 2008 at 4:01 PM
Hi,

EntLib's AzManAuthorizationProvider, limited as it is by the narrow IAuthorizationProvider interface, doesn't deal with the parameters that would be required by such rules.

Based on your description, it seems to me you're better off using the AzMan Interop assembly directly. I don't see an admin configuring both an operation's limit and the ability of a user to execute the operation at the same time, though; most likely roles and task will be defined separately from assigning users to roles. But that doesn't change the fact that you cannot supply the necessary information (eg the order amount) to the rules through EntLib's block.

Hope this helps,
Fernando


kim777 wrote:
I would like to include complicated authorization in my app and store the information in ADAM or Active Directory.

For example,
An operation or task called 'CreateOrder' and include a maximum amount the user is allowed to create an order for of $500.
An operation or task called 'UpdateEmployee' and include logic that they must be the employee's supervisor.

As far as I can tell this logic can be added to ADAM/AD by attaching vbscripts to tasks and providing the required parameters at run time. There doesn't seem to be any way to enter additional information such as the limit is $500 for members of the role 'Clerk' when perfroming the operation 'CreateOrder'.

Does the kind of logic have to be implemented in my app instead?

It seems pointless to use the authorization block unless this level of complexity can be administered along with the basic permissions. If a user is to configure that another user may 'CreateOrders' then I would want them to be able to set the limit '$500' at the same time.

Help!