WCF - CheckAccessForDatabase... How to get DBUserSSid?

Apr 9, 2009 at 4:28 PM
Pulling hair on this one as things "seemed" to be working, but are, in fact, not for me.  I think it has something to do with the following command to check access using WCF:


"Store", "Application", "Add New Contract", "UserName", Now, True, Nothing)

Everything is coming back "Neutral".  when I tested the authorizations within MMC, it shows that the "Windows User" with Id "UserName" has Neutral, but the DB User with ID "UserName" has Deny (Which is correct)

So - if all I am referencing is the WCF endpoint in my web app, how do I go about getting the  DBUserSSid to send along with my CheckAccessFor...whaterver.  I think it is just defaulting to "Neutral" cause it can't find the user and is using a default upper level permission..




Apr 9, 2009 at 8:28 PM
Got this one figured out.  Directly after Authentication, I connect to the Store and run the GetDBUser and store the CustomSid in Session.  From then on, I can call the WCF Cache and things work out fine.

OTHER Issue has arisen though:  Seems when you enter an invalid ID (Any string value for the DBUsersSSid), it will nicely return a Neutral.; however, if you send in looking for an "Item" that doesn't exist, you get a SQL Exception.

Since I am looking at all menu options, which could be dynamically created, I need to be able to "default" the return if an item doesn't exist.

SO, if I checkaccess on an item, it doesn't exist, it should still return a default (configured by me) of deny/allow

Same with user - if a user doesn't exist, or cannot be found, it should not return "neutral", it should default to a configuration of my choosing.  (I would think deny would be best, but I can also see allowing things as well in certain instances).

Hope this all makes sense,

Apr 9, 2009 at 9:07 PM
Note:  Current workaround for invalid "Item" 
Don't like it, but we must move forward.


Dim sec As CacheServiceClient = New CacheServiceClient()
Dim acc As AuthorizationType
    acc = sec.CheckAccessForDatabaseUsersWithoutAttributesRetrieve("Store", "App", "InvalidItemName", Session("UserSid"), Now, False, Nothing)
Catch ex As FaultException
    acc = AuthorizationType.Neutral
End Try



Apr 14, 2009 at 6:30 AM

Hi Tim,

to check the access on DB Users you must provide the DB User SID … and not the DB User Name (because the name could be not unique):

CheckAccessForDatabaseUsersWithoutAttributesRetrieve("Store", "Application", "Add New Contract", "DBUserSID", Now, True, Nothing)

To retrieve the DB User SID use Storage.GetDBUser(“DB User Name”).CustomSid.StringValue


Apr 14, 2009 at 6:32 AM

in general, defaults should be biz-logic based.

Apr 14, 2009 at 6:33 AM

Well done.