In my application, I would like to manage authorization on a record level;
allow/deny a user/group to perform an operation on record (e.g. order, customer)
I am aware that your solution to such a problem is using attributes and I have set an small project to test how it works. My application looks like this:
I would like the "Sales" role to be allowed to "UpdateOrder", but in the same time deny "UpdateOrder" (Attributes: OrderNum=12).
I would like to allow "Bob" to "PrintOrder" (Attributes: OrderNum=13) and deny "Bob" from "PrintOrder" (Attributes: OrderNum=16)
In both cases, I would end up with a "Deny" authorization overriding any allow authorization whether I CheckedAccess for (Sales,UpdateOrder) or for (Bob,PrintOrder).
Is there any way to do this or does this require any changes.
I have read all the discussions related to attributes and the user manual but could not find an answer to this.
Thanks in advance,