CreateDelegate

Mar 23, 2010 at 8:05 PM
Hi,
Great product! What a time saver, thanks for all your work.
I'm just learning now, and trying to implement a CreateDelegate method that will allow a dbuser to delagate access to another dbuser. both dbusers are members of a store group that has been
added to the operation. With the snap in I have setup dbUserNameGrantor user and granted AllowWithDelegate and the grantee has been granted neutral.
Is this possible? I'm using the function below but get the error message that the dbuser (granting delegation) doesn't have permissions to do so. 
How can i grant one dbuser access to delegate?
many thanks,
Steve.
 public void CreateDelegate(string dbUserNameGrantor, string dbUserNameGrantee)
        {
            // USER MUST BE A MEMBER OF SQL DATABASE ROLE: NetSqlAzMan_Users

            //Sql Storage connection string
            string sqlConnectionString = (string)System.Configuration.ConfigurationManager.ConnectionStrings["LocalSqlServer"].ConnectionString;
            //Create an instance of SqlAzManStorage class
            IAzManStorage storage = new SqlAzManStorage(sqlConnectionString);
            IAzManStore mystore = storage.GetStore("My Store"); //or storage["My Store"]
            IAzManApplication myapp = mystore.GetApplication("My Application");
            IAzManItem myop = myapp.GetItem("op_updateDashboard");
            IAzManDBUser dbUser = storage.GetDBUser(dbUserName);
            
            //Retrieve current user identity (delegating user)
            //WindowsIdentity userIdentity = WindowsIdentity.GetCurrent(); //for Windows Applications 
            
            IAzManDBUser delagatedUser = storage.GetDBUser("demoGates");
            
            //Create delegate
            IAzManAuthorization del = myop.CreateDelegateAuthorization(dbUser, delagatedUser.CustomSid, delegateAuthorization, new DateTime(2010, 1, 1, 0, 0, 0), new DateTime(2010, 12, 31, 23, 59, 59));
            //Set custom Attribute on Authorization Delegate
            del.CreateAttribute("MyCustomInfoKey", "MyCustomInfoValue");
        }
Coordinator
Mar 24, 2010 at 5:47 PM

Hi,

just check that the User (in the SQL Storage connection string) is at least a member of the NetSqlAzMan_Users (or NetSqAzMan_Administrators) sql db role.

Let me know.

Regards,

Andrea.

__________________________________
Andrea Ferendeles
NetSqlAzMan Project Coordinator  
E-mail aferende@hotmail.com Web http://netsqlazman.codeplex.com

Mar 24, 2010 at 6:29 PM

Hi Andrea,

Thanks for your reposnse. My sql user in the connection string is a memeber of the NetSqlAzman_Administrators role. Here is the error message i get:

"Create Delegate permission deny for user 'admin' (FECB5B50E44B5B40844ADF6FA2CE7620) to user 'A4F9FEAD7BD9F042BD01955CCD7F5C77' (A4F9FEAD7BD9F042BD01955CCD7F5C77)."

In my netsqlazman repository, i have both users defined, admin has allow with delegation, and the second user is set to neutral.

Best,

Steve.

Coordinator
Mar 24, 2010 at 6:33 PM

Hi,

this error is caused by this code:

if (this.CheckAccess(delegatingUser, DateTime.Now) != AuthorizationType.AllowWithDelegation)

            {

                string msg = String.Format("Create Delegate permission deny for user '{0}' ({1}) to user '{2}' ({3}).", delegatingUser.UserName, delegatingUser.CustomSid.StringValue, delegatedName, delegateUser.StringValue);

                throw new SqlAzManException(msg);

            }

So, please check again that the CheckAccess result for the user Admin is “AllowWithDelegation”.

Let me know.

Regards,

Andrea.

__________________________________
Andrea Ferendeles
NetSqlAzMan Project Coordinator  
E-mail aferende@hotmail.com Web http://netsqlazman.codeplex.com

Mar 24, 2010 at 6:43 PM

Hi,

I have a store group called "staff" of which "admin" is a member.

I have a role "update dashboard", of which task "t_updateDashboard" is a member, this task has operation "op_updateDashboard' as a member.

At the role authorizations level, I have added the store group "staff" and given this group "allow with delegate" authorizations.

Does this not propogate down from role, to task, to operation?

Best,

Steve.

Coordinator
Mar 24, 2010 at 10:46 PM

Hi,

“AllowWithDelegation” permission does not propagate. When propagating down it becomes “Allow”.

If you want to preserve “AllowWithDelegation” permission, you must assign a direct permission of your User on Role/Task/Operation without encapsulating it in  Store Group.

Regards,

Andrea.

__________________________________
Andrea Ferendeles
NetSqlAzMan Project Coordinator  
E-mail aferende@hotmail.com Web http://netsqlazman.codeplex.com

Mar 25, 2010 at 2:20 PM

Thanks Andrea.

Steve.