DevForce Community Forum : Dynamic property level security

DevForce Community Forum : Dynamic property level security http://www.ideablade.com/forum/ This is an XML content feed of; DevForce Community Forum : DevForce 2010 : Dynamic property level security Fri, 17 Apr 2026 00:56:51 -700 Thu, 23 Feb 2012 11:17:53 -700 http://blogs.law.harvard.edu/tech/rss Web Wiz Forums 9.69 360 www.ideablade.com/forum/RSS_post_feed.asp?TID=3273 DevForce Community Forum http://www.ideablade.com/forum/forum_images/IdeaBlade_logo_tm.png http://www.ideablade.com/forum/ Dynamic property level security : Thank your for your answer!I think... http://www.ideablade.com/forum/forum_posts.asp?TID=3273&PID=12764#12764 Author: Thomas
Subject: 3273
Posted: 23-Feb-2012 at 11:17am

Thank your for your answer!

I think that the dynamic verifiers are not that good for my purpose as they would not be used automatically when the properties are read (so they won't work for read security). I will probably go for the dynamic property interceptors on the server and use some factory method on the client to inject custom attributes/functions into the view model for the properties that I don't want to show (so they won't get data from the server but to hide them I would add something to them).

]]> Thu, 23 Feb 2012 11:17:53 -700 http://www.ideablade.com/forum/forum_posts.asp?TID=3273&PID=12764#12764 Dynamic property level security : Hi Thomas,Good question. For... http://www.ideablade.com/forum/forum_posts.asp?TID=3273&PID=12744#12744 Author: ting
Subject: 3273
Posted: 22-Feb-2012 at 6:20pm

Hi Thomas,

Good question. For the properties, you could use either dynamic property interceptors or dynamic verifiers. You can put the setup code for this in the base class of the entities. In the implementation of the interceptors/verifiers, you would refer to your security service that checks for roles on the Thread.CurrentPrincipal, which returns your custom UserBase class that was set up on login.

You will probably also want to drive the UI from the security itself. So your ViewModel might also contain properties that automatically (when bound) make certain controls read-only or non-visible if the user does not have the proper permissions.

For methods, you could call a base class implementation that checks security first. However, you'd probably want the UI to gray out or hide the button before even getting there.

Managing and provisioning such fine grained access control can be quite a lot of work (separate from the code that enforces the policy), so I don't know if there are alternative strategies that may make sense to consider.

Our professional services team is much better equipped to handle architectural questions like this, so if you'd like more help, we can put you in touch with them and they can advise on the implementation.

Edited by ting - 22-Feb-2012 at 6:21pm]]> Wed, 22 Feb 2012 18:20:44 -700 http://www.ideablade.com/forum/forum_posts.asp?TID=3273&PID=12744#12744 Dynamic property level security : For our application we would need... http://www.ideablade.com/forum/forum_posts.asp?TID=3273&PID=12704#12704 Author: Thomas
Subject: 3273
Posted: 21-Feb-2012 at 12:57am

For our application we would need to have the possibility to specifiy which properties of an object a user should be able to manipulate. This information is stored in the database. The tables has the following information

* Name of the class

* Name of the property or method

* Read

* Write

* (Delete - this is only for entries that belong to to the class)

* (Execute - only for methods)

These access rights can be assigned to roles and roles will be assigned to users which would give me the possibility to define access perfectly.

I already looked into your documentation but I am not really sure what is the best way to apply this security scheme. I would prefer an approach where I only need to maintain this at a single place (maybe some kind of a global interceptor?).

]]> Tue, 21 Feb 2012 00:57:03 -700 http://www.ideablade.com/forum/forum_posts.asp?TID=3273&PID=12704#12704