New Posts New Posts RSS Feed: Dynamic property level security
  FAQ FAQ  Forum Search   Calendar   Register Register  Login Login

Dynamic property level security

 Post Reply Post Reply
Author
Thomas View Drop Down
Newbie
Newbie
Avatar

Joined: 21-Feb-2012
Posts: 23
Post Options Post Options   Quote Thomas Quote  Post ReplyReply Direct Link To This Post Topic: Dynamic property level security
    Posted: 21-Feb-2012 at 12:57am
For our application we would need to have the possibility to specifiy which properties of an object a user should be able to manipulate. This information is stored in the database. The tables has the following information

* Name of the class
* Name of the property or method
* Read
* Write
* (Delete - this is only for entries that belong to to the class)
* (Execute - only for methods)

These access rights can be assigned to roles and roles will be assigned to users which would give me the possibility to define access perfectly.

I already looked into your documentation but I am not really sure what is the best way to apply this security scheme. I would prefer an approach where I only need to maintain this at a single place (maybe some kind of a global interceptor?).
Back to Top
ting View Drop Down
IdeaBlade
IdeaBlade
Avatar

Joined: 27-Mar-2009
Location: San Francisco
Posts: 427
Post Options Post Options   Quote ting Quote  Post ReplyReply Direct Link To This Post Posted: 22-Feb-2012 at 6:20pm
Hi Thomas,

Good question. For the properties, you could use either dynamic property interceptors or dynamic verifiers. You can put the setup code for this in the base class of the entities. In the implementation of the interceptors/verifiers, you would refer to your security service that checks for roles on the Thread.CurrentPrincipal, which returns your custom UserBase class that was set up on login.

You will probably also want to drive the UI from the security itself. So your ViewModel might also contain properties that automatically (when bound) make certain controls read-only or non-visible if the user does not have the proper permissions.

For methods, you could call a base class implementation that checks security first. However, you'd probably want the UI to gray out or hide the button before even getting there.

Managing and provisioning such fine grained access control can be quite a lot of work (separate from the code that enforces the policy), so I don't know if there are alternative strategies that may make sense to consider.

Our professional services team is much better equipped to handle architectural questions like this, so if you'd like more help, we can put you in touch with them and they can advise on the implementation.



Edited by ting - 22-Feb-2012 at 6:21pm
Back to Top
Thomas View Drop Down
Newbie
Newbie
Avatar

Joined: 21-Feb-2012
Posts: 23
Post Options Post Options   Quote Thomas Quote  Post ReplyReply Direct Link To This Post Posted: 23-Feb-2012 at 11:17am
Thank your for your answer!

I think that the dynamic verifiers are not that good for my purpose as they would not be used automatically when the properties are read (so they won't work for read security). I will probably go for the dynamic property interceptors on the server and use some factory method on the client to inject custom attributes/functions into the view model for the properties that I don't want to show (so they won't get data from the server but to hide them I would add something to them). 
Back to Top
 Post Reply Post Reply

Forum Jump Forum Permissions View Drop Down