I'm struggling to find documentation regarding how to setup the NetSqlAzMan database so that a non-privileged user running an application can access the database in order to discover his authorisations.
Four roles are created in the NetSqlAzMan database: NetSqlAzMan_Administrator, NetSqlAzMan_Manager, NetSqlAzMan_User and NetSqlAzMan_Reader.
I think that the administrator and manager roles are fairly self-explanatory, but I don't understand the difference between a user and a reader. If it doesn't already exist somewhere, please consider publishing more information on these roles:
- What can a member of the NetSqlAzMan_Reader role do?
- What additional facilities become available to a member of the NetSqlAzMan_User role?
- What is the minimum role membership required in order to use the UserPermissionCache?
Regarding the UserPermissionCache:
I appear to be able to use an instance of the cache successfully only if I am a member of the Administrator role. Is this correct? With membership of the Manager role or less, the UserPermissionCache constructor taking (amongst others) a WindowsIdentity
and with the 'multiThreadBuild' parameter false returns an empty cache. The same constructor called with 'multiThreadBuild' set to true crashes with an ArgumentNullException in the worker thread:
System.ArgumentNullException: Value cannot be null.
Parameter name: waitHandles
at System.Threading.WaitHandle.WaitAll(WaitHandle waitHandles, Int32 millis
econdsTimeout, Boolean exitContext)
at NetSqlAzMan.Cache.UserPermissionCache..ctor(IAzManStorage storage, String
storeName, String applicationName, WindowsIdentity windowsIdentity, Boolean retr
ieveAttributes, Boolean multiThreadBuild, KeyValuePair`2 contextParameters)
at NetSqlAzManTester.Program.Main(String args)
May 9, 2009 at 7:41 AM
these are the info you requested (page 21 of the NetSqlAzMan Guide.pdf):
When an authorization is granted by the NetSqlAzMan Administrator, through the administrative console, we are talking properly about “Authorization”. The same mechanism can be used during run-time by special users that allow other users to do
a determined operation in their place. In this case we are talking about “Delegate”.
In order to delegate, the delegant user must have the Allow with delegation permission directly on the Item and must belong to Sql Server: NetSqlAzMan_Users role. In the Sql Storage are present in fact 3 (three) different Database Roles:
- NetSqlAzMan_Administrators (full control)
- NetSqlAzMan_Managers (can manage Store/Application permissions)
- NetSqlAzMan_Users (only reading and delegate permission on Item with Allow with delegation permission)
- NetSqlAzMan_Readers (read only – minimum permission to perform a CheckAccess)
In order to use UserPermissionCache a user must be a member of the NetSqlAzMan_Readers database role and must be authorizied (thought the SnapIn) for a given Store or Application (right click on the Store / Application, Properties, Permissions).
You receive the ArgumentNullException because the database does not found any authorized "Application" for which build the UserPermissionCache.