Dynamic Roles Data Dependant

Topics: General Topic, NetSqlAzMan Core
Jun 29, 2011 at 4:09 PM


I need to implement a solution requiring some sort of dynamic roles depending on data... For instance.. The systems has to do with reporting the use of licensed material  (e.g. a licence to stored toxic materials... etc...). Each licence has a "Licence Number" associated. Now... There are to types of roles to prepare these reports (could be more in the future)... Drafter and submitter... A drafter is someone with NO authority filling out a report and a submitter is someone who reviews the content, can change it as well and as the right to submit the report to the licensing authorities.

In other words... User1 could be defined as a "Submitter" for LicenceA... The moment he starts working with the LicenceB he could be a drafter. If drafter and submitter were defined as roles using the AzMan Console, obviously we cannot define roles authorizations since User1 is not always a Submitter nor a Drafter....

Not sure if an alternative could be creating programmatically operations named like "AccessToLicenceAAsSubmitter" and AccessToLicenceBAsDrafter and associate the user to operations rather than roles. At the same time we might have to define two tasks... One called Submitter which would include all the operations *AsSubmitter.... Another called Drafer to include all the operations *AsDrafter... That Task authorization would be used to setup the left-menu's sitemap handled by the Web Client Software Factory. This implies having thousands of operations.... Not sure if this is a right use of AzMan.

PS: we want to minimize bypassing the API (writing directly to the AzMan tables) or customizing the code... however it is an option if recommended.

Suggestions are welcome.


Jun 29, 2011 at 8:01 PM

Another alternative that I forgot to mention...

Could we assign most users to Drafter and Submitter roles... meaning that "Potentially" they are member of these roles.... And use the CheckAccessForDatabaseUsersWithAttributesRetrieve() API to check access and get back the authorization attributes... The authorization attributes could list the user's licences along with role to be applied for each licence... Then in code we can process the attributes to verify that the role (stored as an attribute) for a specific licence matches the role passed to the CheckAccessForDatabaseUserWithAttributesRetrieve() as a parameter.

PS: posibly other alternative could be handled through BizRules.


Jul 3, 2011 at 9:33 AM

I think the solution lies in a combined use of Attributes and Biz Rules.

Use attributes for example to handle license numbers:

- Attribute Key: "License ID"

- Attribute Value: "1234"

The Biz Rule will be rather useful for the role determination at the run-time phase.

The API netsqlazman are able to do any work. To better understand this concept, just consider that the MMC only uses the API (NetSqlAzMan.dll) to assolve each operation.



Andrea Ferendeles
NetSqlAzMan Project Coordinator
E-mail aferende@hotmail.com Web http://netsqlazman.codeplex.com