Role Based Security

[Martin Eckart]

Hi NG,

I am about to start development of the Security part of a big application.
The requirements are that users must be assigned to roles and the roles then
can be configured to access features.

The features are a set of methods in C# which will be defined once before
rollout. The assignment which roles can access those features are
configurable in an xml file.

I would like to use Role Based Security functionality from the .NET
Framework but have not found anything yet about how to make the following
call depending on an external file/service:
[PrincipalPermissionAttribute(SecurityAction.Demand, Name = "MyUser", Role =
"User")]
I can get the current user form my database, but I don't know how to put a
placeholder here for the Role and replace it then with the value from the
configuration file.

Any hints?

Thanks,
Martin

 

[sloan]

Your code is declarative.

http://msdn.microsoft.com/en-us/library/aa302383.aspx

Search for "programmatically" at the above URL.

 

[sloan]

Personally...I created my own IPrincipal interface (and concrete
implementation).
I decided to go to a RIGHTS based model.

The below interface has met my needs, 100% of the time.


I feel the "Roles" based system kinda is lacking a tad. Most people can
make it work.
One guy (at a user group meeting) told me he uses "rights" anywhere the word
"role" appears.
(Aka, an artficial swap out).




public interface IRolesAndRightsPrincipal :
System.Security.Principal.IPrincipal
{

bool IsInRole(System.Guid role);

bool IsInAnyRole(System.Guid[] roles);

bool IsInAllRoles(System.Guid[] roles);

bool HasRight(System.Guid right);

bool HasAnyRight(System.Guid[] rights);

bool HasAllRights(System.Guid[] rights);


ISecurityRoleCollection AllRoles //and ISecurityRole is just a Guid
and a Name simple object in my world
{
get;
}

ISecurityRightCollection AllRights//and ISecurityRight is just a
Guid and a Name simple object in my world
{
get;
}


}

 

[Martin Eckart]

Thanks sloan, great hints.

One more question: I assume you then use the Demand() method of the
PrincipalPermission class. Are you implementing your own Demand() method?
How would you do that, sonce Princ.Permission is sealed?

Personally...I created my own IPrincipal interface (and concrete
implementation).
I decided to go to a RIGHTS based model.

The below interface has met my needs, 100% of the time.


I feel the "Roles" based system kinda is lacking a tad. Most people can
make it work.
One guy (at a user group meeting) told me he uses "rights" anywhere the
word "role" appears.
(Aka, an artficial swap out).




public interface IRolesAndRightsPrincipal :
System.Security.Principal.IPrincipal
{

bool IsInRole(System.Guid role);

bool IsInAnyRole(System.Guid[] roles);

bool IsInAllRoles(System.Guid[] roles);

bool HasRight(System.Guid right);

bool HasAnyRight(System.Guid[] rights);

bool HasAllRights(System.Guid[] rights);


ISecurityRoleCollection AllRoles //and ISecurityRole is just a Guid
and a Name simple object in my world
{
get;
}

ISecurityRightCollection AllRights//and ISecurityRight is just a
Guid and a Name simple object in my world
{
get;
}


}

Hi NG,

I am about to start development of the Security part of a big
application. The requirements are that users must be assigned to roles
and the roles then can be configured to access features.

The features are a set of methods in C# which will be defined once before
rollout. The assignment which roles can access those features are
configurable in an xml file.

I would like to use Role Based Security functionality from the .NET
Framework but have not found anything yet about how to make the following
call depending on an external file/service:
[PrincipalPermissionAttribute(SecurityAction.Demand, Name = "MyUser",
Role = "User")]
I can get the current user form my database, but I don't know how to put
a placeholder here for the Role and replace it then with the value from
the configuration file.

Any hints?

Thanks,
Martin

 

[sloan]

No, I don't implement/use the Demand() method.

Thanks sloan, great hints.

One more question: I assume you then use the Demand() method of the
PrincipalPermission class. Are you implementing your own Demand() method?
How would you do that, sonce Princ.Permission is sealed?

Personally...I created my own IPrincipal interface (and concrete
implementation).
I decided to go to a RIGHTS based model.

The below interface has met my needs, 100% of the time.


I feel the "Roles" based system kinda is lacking a tad. Most people can
make it work.
One guy (at a user group meeting) told me he uses "rights" anywhere the
word "role" appears.
(Aka, an artficial swap out).




public interface IRolesAndRightsPrincipal :
System.Security.Principal.IPrincipal
{

bool IsInRole(System.Guid role);

bool IsInAnyRole(System.Guid[] roles);

bool IsInAllRoles(System.Guid[] roles);

bool HasRight(System.Guid right);

bool HasAnyRight(System.Guid[] rights);

bool HasAllRights(System.Guid[] rights);


ISecurityRoleCollection AllRoles //and ISecurityRole is just a
Guid and a Name simple object in my world
{
get;
}

ISecurityRightCollection AllRights//and ISecurityRight is just a
Guid and a Name simple object in my world
{
get;
}


}

Hi NG,

I am about to start development of the Security part of a big
application. The requirements are that users must be assigned to roles
and the roles then can be configured to access features.

The features are a set of methods in C# which will be defined once
before rollout. The assignment which roles can access those features are
configurable in an xml file.

I would like to use Role Based Security functionality from the .NET
Framework but have not found anything yet about how to make the
following call depending on an external file/service:
[PrincipalPermissionAttribute(SecurityAction.Demand, Name = "MyUser",
Role = "User")]
I can get the current user form my database, but I don't know how to put
a placeholder here for the Role and replace it then with the value from
the configuration file.

Any hints?

Thanks,
Martin