Business Object Authorization Design

Business Object Authorization Design

Old forum URL:

sirmaelstrom posted on Thursday, October 20, 2011

I'm very new to CSLA but am thrilled to have found it and have started working through Rockford's C# 2008 Business Objects book.  I have a design question that I'm hoping others with more experience can chime in on, especially as thoughts on how using CSLA can help me better refine the design.

I'm considering a system that stores multiple types of business evaluation records.  These records are associated with a subject (a user in this system) and an author (the authoring user).

This system has a concept of multiple types of roles.  For instance, there are roles that indicate a user's level, and would allow a user to be a member of one and only one of these roles.  There may also be predicate roles for which a user may be a member of 1 or more.  

When an object is requested from the system, the requesting users "level" role and "predicate" role(s) are to be compared to the subject user's roles.  If the requesting users "level" is higher than the subject's and the subject and requester share at least one predicate role, then the requester may have access to the object.

Does this make any sense?  Is there a design that maps well to this sort of concept?  Certain reading for CSLA that I should target first that might help me with this design?

StefanCop replied on Thursday, October 20, 2011

I havn't fully understood your statements. But I recommend to read these sources: (including Source\Csla\Rules\AuthorizationRules.cs)

I guess, you need your specific "IsInRole" authorization rule. A role basically is just a string, which you can give some additional sematic, i.e. "predicateA;5".

The authorization rules are designed to be simple and fast.

Copyright (c) Marimer LLC