Object Authorization Rules

Object Authorization Rules

Old forum URL: forums.lhotka.net/forums/t/12125.aspx

collins.sumpa posted on Friday, August 23, 2013

I would like to implement object authorization rules on my employee object. However the complication arises from the fact employees are grouped in payroll groups such as Confidential payroll, Middle Management payroll and Unionized payroll and the employee group property determines which payroll group they belong to. For example employees with the group value of “EXCO” (Executive Committee) belong to the confidential payroll, whilst employees with group property values of SMG1 (Senior Manager Group Level 1), SMG2 (Senior Manager Group Level 2) and SMG3 (Senior Manager Group Level 3) below to the middle management payroll etc, Employees in the confidential payroll can only be viewed and updated by the users in the Human Resources Director and Finance Director roles. Employees in middle management payroll and unionized payroll can be updated and viewed by users in the Human Resources Director, Finance Director, Human Resources Manager and Accountant roles. My understanding of the object authorization rules is that they apply at object type level and not at instance level. How do I go about implementing object authorization rules for the employee object?

JonnyBee replied on Friday, August 23, 2013


First off - we are not talking plain role based authorization - this is some type of "post-fetch" authorization where you look at the data being loaded.

There is several alterntive solution here:

You may create custom AuthorizationRules that can handle target == null and not (when your code supply the target for Fetch/Create or just add direct checks in your code. Then 

  1. Add checks in DataPortal_Fetch and throw SecurityException directly from the DAL code
  2. Add checks in  DataPortal_OnDataPortalInvokeComplete to check for authorization. 

CSLA will cal the Create/Fetch rules with "target" = null -  but you may add additional code to check the Authorization _and_ supply the target object. There is static BusinessRules.HasPermission methods that accept the actual target object so you can check for permission.

Just make sure your rule will run OK whether target object is specified or null.

Also -  remember that there can only be one authorization registered for each AuthorizationAction, RuleSet and MethodInfo.  

Copyright (c) Marimer LLC