We are evaluating NetSqlAzMan for use in a project and it looks really promising. The one area I'm not sure about is whether we can use it for per-resource authorization or not. From the documents and videos it seems like attributes are the way to go about
this but I'm not exactly sure. Here is my scenario:
1. There are a number of 'projects'.
2. There are several project related roles: project manager, project assessor, project evaluator etc.
3. A User can be in one or more roles for each project and these are assigned on a per-project basis.
So the way I was thinking about doing this was:
1. Add each of the project roles to the store, set-up tasks, ops etc as normal.
2. When a user is assigned a role on a project , e.g. project manager he or she is added to the authorizations for that role.
3. Add an attribute to that authorization for the appropriate projectid. So if the user was a project manager on p1 and p2, his or her role authorization would have 2 attributes: p1 - true, p2 - true (true doesn't have any particular meaning here and could
4. Add a business rule for each role that takes project id in a context parameter. Compare this parameter against the list of attributes for the users authorization to determine if they are authorized or not. So if the app asks for a check if a user is authorized
as a project manager on project p2, the biz rule will check if there is a p2 attribute for that user on the project manager authorization.
It's this last step that I'm not sure about. Is this possible? Is there a better way of doing it? For consistency I'd really like all authorization to be done in Azman, I don't want to have to pass the attributes back to the app and have it use those to
self-authorize unless it's really necessary.
Thanks in advance for any help