Attributes & Deny Authorizations

Topics: General Topic, NetSqlAzMan Core
Dec 10, 2011 at 6:11 PM

Dear Andrea,

In my application, I would like to manage authorization on a record level; allow/deny a user/group to perform an operation on record (e.g. order, customer) #number

I am aware that your solution to such a problem is using attributes and I have set an small project to test how it works. My application looks like this:


  • John
  • Bob


  • Admin
  • Sales
  • Marketing


  • CreateOrder
  • UpdateOrder
  • DeleteOrder
  • PrintOrder
  • etc...

Authorizations Examples:

I would like the "Sales" role to be allowed to "UpdateOrder", but in the same time deny "UpdateOrder" (Attributes: OrderNum=12).

I would like to allow "Bob" to "PrintOrder" (Attributes: OrderNum=13) and deny "Bob" from "PrintOrder" (Attributes: OrderNum=16)

In both cases, I would end up with a "Deny" authorization overriding any allow authorization whether I CheckedAccess for (Sales,UpdateOrder) or for (Bob,PrintOrder).

Is there any way to do this or does this require any changes.

I have read all the discussions related to attributes and the user manual but could not find an answer to this.


Thanks in advance,


Dec 11, 2011 at 2:43 PM


you have this behavior because Deny wins on Allow ever … and because the resulting permission is calculated before attributes retrieval.

Anyway .. .you can accomplish this in two way.

1) Use Neutral permission instead of Deny; in this way … Allow will win on Neutral … but neutral means deny

2) You can switch to the Business Rules model (instead of attributes model) to establish permissions based on custom db values. In this way the Business Rule will check for Order # (or any other custom data) before computing the final resulting permission.



Andrea Ferendeles
NetSqlAzMan Project Coordinator
E-mail Web

Dec 11, 2011 at 3:11 PM
Edited Dec 11, 2011 at 3:11 PM

Hi Andreas,

Thanks for your reply.  Is it possible to add an overload of the CheckAccess function to take in an "attributes" parameter.  In that case, it would skip any records that do not have the menitoned attributes.  I will think about a generalized way of getting this function in and share my thoughts with you, but I think you can do a better job in visualizing the required changes in a way that would suit other users.

Thanks in advance,