Tasks vs Roles
Old forum URL: forums.lhotka.net/forums/t/3402.aspx
MBursill posted on Monday, August 20, 2007
I'm playing around with the MMC Authorization Manager attempting to setup some role based security.
From what I can tell, CSLA allows me to look at roles and easily
figure out what user belongs to what role. Can the same be said for tasks?
The
software I'm developing is for a smaller sized businesses. We're the
type of place where one day the operations manager is filling the shoes
of the accountant because the accountant called in sick, or is on
vacation. As a result, my system needs to be flexible when it comes to authorization rules. I wish to limit read/write access of propertes not based on roles, but tasks.
I can foresee situations where I may want to
allow tasks for a user without exposing all the tasks of an already defined role. I may end up
with a lot of specialized roles, each with just a few tasks and maybe one user, but it will offer me the flexability to really break up and easily manage the various parts of my system.
Has anyone encountered this type of scenario and what was done about it?
Thanks.
MBursill replied on Monday, August 20, 2007
As a quick follow up to this I just discovered
that Microsofts Security Application Block encourages the use of tasks to
enforce authorization rules.
If CSLA is only using roles, won't that make the defining of tasks through
something like AzMan pointless?Ank replied on Monday, August 20, 2007
I had done something simmilar in one of my projects. It did not use CSLA. Instead of creating many roles I used a concept of "delegating tasks to some other user". This requires checking tasks and not roles of the user for authorization. All tasks are not available for delegation. If a user logs on as a delegate of someone they only get a subset of tasks available to the real user. I am fairly new to CSLA so not sure if such a thing is supported.
Ank
JoeFallon1 replied on Monday, August 20, 2007
I have Roles in my Identity (because I have to.)
But I use an identical structure to also fill my Identity with Permissions. I guess you could say that Permissions and Tasks are the same thing. So a user could be in Role "Manager" but be given permissions to "Edit Accounts". In that case they will be able to open and use the Account edit form because instead of checking for IsInRole("Accountant")
I will check for: HasPermission("Edit Accounts")
During LogIn I fill both roles and permissions from my database for the user.
Joe
MBursill replied on Wednesday, August 22, 2007
That sounds like exactly what I'm trying to do. I'm assuming you added the HasPermission method to the BusinessPrincipalBase?
Inside RolesForProperties (which you maybe renamed PermissionsForProperties) how do you check for IsReadAllowed? Do you take in a BusinessPrincipalBase instead of IPrincipal and than use HasPermission?
JoeFallon1 replied on Sunday, August 26, 2007
"I'm assuming you added the HasPermission method to the BusinessPrincipalBase?"
Yes.I derived Principal and Identity classes from Rocky's base classes. Then I duplicated the IsInRole code and re-named them to HasPermission. Then during Fetch I get both Roles and Permissions.
==============================================================
"Inside RolesForProperties how do you check for IsReadAllowed?"
I did not go that far. I saw that I would have to duplicate 95% of Rocky's Authorization code in order to make effective use of IsReadAllowed using my Permissions. This is because he directly calls IsInRole. I asked him to use a Delegate instead and he added it to the wish list a while ago. There is a thread on the subject which you can read from the Wish list.
Joe
Copyright (c) Marimer LLC
