AzMan NetSqlAzMan

AzMan NetSqlAzMan

Old forum URL: forums.lhotka.net/forums/t/2058.aspx

FireGarden posted on Monday, January 01, 2007

Hi,
    I am trying to implement an AzMan style security system where the operations and their role access is defined in AzMan or NetSqlAzMan (NetSqlAzMan is AzMan done properly if you are wondering)

The questions I have is how to go about implementing the access checks. The way I understand CSLA to work is that all authorization checks can be done on the client side simply by comparing the role value to IPrincipal.

The first problem I see with NetSqlAzMan is that all access checks have to be done on the server. Would I use a command object to preform the access check?

Can some one provide me with some guidance on how to implement an AzMan type authorization check using the Csla framework?

I am,
    Yours very sincerly,

Lightning [li]

Rob Wheeldon

FireGarden replied on Saturday, January 13, 2007

I have configured NetSqlAzMan to work with Csla security and I have to say it works very well. On application startup I preform all access checks and cache the result in the Csla.ApplicationContext.

If you are a 3rd party developer and you want to standardize your authorizaztion you definately need to check out http://sourceforge.net/projects/netsqlazman

Rob

milecker replied on Thursday, June 21, 2007

Rob,

While I agree with you that there are some nice enhancmenets/fixes over azman, there are in my opinion a few large issues related to NetSQLAzman.

i) Permission checks are performed in the data tier. Major no-no in development since you are now tied to SQL server implimentation + as general rule business logic goes on in the middle tier so as not be tied to the storage provider.

ii)Interface. While Azman suffered from only supporting NT users/groups, netSqlAzman also is limited since it takes an IPrinciple object as part of the interface for an access check. This defeats the purpose in my option of a general authorization tool. A generic authorization tool should only take a string Ex- "Domain\UserId" or "testAccount". This allows for anytime of user {NT,Application, etc}.

iii)Not the ideal client/server solution where a client is passed a set of valid operations that are cached for the "Session". To this end, I think that ideally in an enterprise there should be a web service which provides and interface for many applications to make calls in to get permissions.

Mind you there were some major improvements over azman including the web interface, item authorization and the ability to have "Custom users" that are not NT accounts.

Cheers 

Copyright (c) Marimer LLC