How can I achieve something like this?

Jan 9, 2010 at 4:54 PM

Having roles, tasks and operation permissions is great.

However, I have a special need.   When a user logs in to the application, they have access to a LIST of entities.  Inside EACH of these entities I need the roles, tasks and permissions.

When permissions are asked, instead of: "Does current user have a certain role or task or operation", the question is "Does current user have a certain role or task or operation FOR a given entity"

Think of an outsourcing business - like you do 'phone calls/call center' for other businesses.

When a user logs into the system, they have certain role/task/operation for SOME businesses. You have end users that log in and do role/task/operation for their one company.  Or that end user may have 5 businesses they are outsourcing to you - so they could do role/task/operation for 5 businesses.   Combine that with your internal people would have certain rights to big lists of your customers and their call lists. 

So, essentially need to give each login a grant for role/task/operation for particular companies.  The role/task/operation and management of it is fine the way it is done in NetSqlAzMan.  It is the Item authorization that needs this feature - inside the item authorization - I would add a user and then for that user would add an entity and THEN add rights on that entity.  Also, the regular 'user' may have rights too (like can add/delete a customer/entity, etc).   Anyway to do this with this product or some way to modify it to add this additional indirection?

 

Coordinator
Jan 9, 2010 at 5:53 PM
Hi,
you can achive this with authorization Attributes.
Attributes are pair of Key/Value.
You can give a user "allow" on operation "X" and add one or more attributes like:
Key: "Company"
Value: "My Company".
Check the pdf guide for further details.
Regards,
Andrea.

Jan 9, 2010 at 10:22 PM

Thanks for the quick reply - I have now read your entire guide. 

In the above scenario, I can see how that would work.  I would check for access, it would return allow and then I could look through the attributes to see what "Company" you had access to.

Now - I need to implement a UI to set all these companies in the role/task/operations.

1)  If I wanted to REMOVE your rights from a company or maybe remove everyone's rights from a company, how would I do that?   Those attributes would be scattered all over the place.  You may have access to 10 roles and 10 tasks - each one of those potentially having that company as an attribute?  Additionally if I removed the last company from the attribute list, would probably want to remove that role/task from your user.  Would I have to iterate through every user and every users roles/tasks/operations to find each attribute??

2)  I have seen others asking this kind of question and also seen where you addressed it in the manual and the solution is attributes.  However, we then need more support for maintaining these attributes.  Maybe even something like your 'GetDBUsers' that would return a list of possible attribute keys (function would return "select companyId, companyName......").   Then when using the GUI this would be more natural?

3)  Finally need to turn the hierarchy around.  Given an attribute key, where is it located?  I realize attributes are scoped to the item/role/etc, so this is an issue.  I guess we need to be able to define attribute types.   I would have a 'CustomerAttribute' and when you called my "GetAttributeKeys" sql function - you would pass "CustomerAttribute", and I would return the correct list.   When adding attribute to a item, I would add an attribute of type 'CustomerAttribute' and pick from your list.   This would give the ability to have a "CustomerAttribute" node on the tree, under that node when I clicked it - would show each customer that had an attribute somewhere - then clicking on that customer would be able to see where/what/who had rights to them.

4)  Sort of the same as #3, but in the given infrastructure - would be nice to browse by USER.  I click on a user - and under them I can see their rights, etc.  As it is now, you go to the item and add the user.  Would be nice to do it the other way around sometimes - and definitely if you want to see what rights a user has - this would help.  (I did see your 'check access' screen on the GUI - and that is a good workaround).

Product looks great - I like what you have done.  I am going to try to use it - once I figure out how to do the above.

Thoughts?

Coordinator
Jan 12, 2010 at 9:05 AM

Hi,

I have already implemented something like this but in another context.

My answers:

1) Yes

2) Custom approach is better. Everyone as own preferences. If you want you can implement your custom solution using SQL Server function or other.

3) To avoid a SQL stress … I suggest you to switch to a disconnected mode by using NetSqlAzMan.Cache.StorageCache … to read all and after make all changes while in a transaction. In this way Building hierarchy is more quickly. To allow hierarchy you have 2 solusions:

a. Use a flat hierarchy format: Key: “My Attribute Key”, Value: “My Company, My Department, My Sub department, and so on”

b. Use an xml format into the Attribute Value

4) Same as #2. Everyone should implement its solution.

Regards,

Andrea.

__________________________________
Andrea Ferendeles
NetSqlAzMan Project Coordinator  
E-mail aferende@hotmail.com Web http://netsqlazman.codeplex.com

Jan 12, 2010 at 3:23 PM

Andrea,

  Thanks for the replies.

I guess I was proposing 'generic' features for the future versions of the product.

1)  That is a bunch of work to do this, but I suppose it could be made easier by making the attribute keys a particular 'format' "c-23442" so that a single sql delete from the attribute table would take care of it.

2)  My thoughts were it would be NICE to be able to use your MMC snap-in.  So, in a generic fashion as described above - it could simply 'help' with the creation of attributes with the 'optional' sql functions much like you have done for users.   Otherwise, cannot use the MMC or end up modifying it - would like to use it out of the box.   Just thought this would be a good way to help many users?

3)  Again - was thinking about the MMC - have another section/hierarchy of the MMC that dynamically is generated based on the current configuration and does it dynamically.  This would be a great feature.

4)  Again - this is a fantastic feature I can really imagine everyone using...browsing by user!

 

I am unsure of your plans for this product going forward I did not see a road map.  What you have done so far is great.  Are you adding features or just maintaining, etc.   All of the 'features' I am talking about above are simply GUI features in the MMC/website to manage and maintain generically with a little more customization.  If I were to add some of the features into the MMC are you taking contributions to the source or?

Thanks!

 

Jan 16, 2010 at 4:40 AM

Andrea- any thoughts?

Coordinator
Jan 18, 2010 at 8:31 AM

Hi,

surely every contribution is welcome.

I will consider your suggestions for the 4.0 release which will be developed entirely with the new .NET framework 4.0.

By now no major releases are planned for the 3.6.x.x series.

Best Regards,

Andrea.

__________________________________
Andrea Ferendeles
NetSqlAzMan Project Coordinator  
E-mail aferende@hotmail.com Web http://netsqlazman.codeplex.com

Mar 27, 2010 at 11:51 PM

Andrea,

   I have finally gotten around to making the contribution from above.  It is not a big change and is very flexible to meet the needs of many users.  If they do not need or want it, it has no impact on them.  It does not modify any table structures, etc.   Please consider adding this contribution to the tree.

I am going to create an issue with all the details and then upload a patch for that issue.

Thanks, I look forward to your feedback.

 

Mar 28, 2010 at 12:27 AM

see http://netsqlazman.codeplex.com/WorkItem/View.aspx?WorkItemId=5806