Obtaining AuthorizationID

Sep 15, 2010 at 8:22 PM

Question up front: How can I get the AuthorizationID of the Authorization that granted access to a particular operation for a particular user? (Note: that the authorization may actually be to a Role or application group that the user belongs to)

Background:

I'd first like to say thanks for this great product, it fits what I was looking for almost perfectly. One thing that it doesn't support very well though (or at least I haven't figured out how) is when you need to assign permissions to individual items of the same type that vary by ID. This is affecting me for several things but in this case I will use the example of files. Our website has hundreds of files that are associated with different events and various other items on the site. We want to be able to say something like the following:

  • By default, everyone in the "Portal Users" role should have the read access of all files but this can be changed for specific files.
  • We can select individual Roles, Application Groups, or members to have write permissions to SPECIFIC files.

We've set up two Operations: "File_Read" and "File_Write". The problem is that we don't necessarily want everyone that has "File_Write" authorization to be able to edit/overwrite all files but rather User1 might be able to edit FileID's 1,2, and 3 and User2 might be able to edit FileID's 4,5, and 6. I thought about using attributes but this would then have to be a comma separated value of FileID's that would be very difficult to maintain and scale. Another alternative would be to have "File_Read_File1", "File_Read_File2", etc. operations for every file (not to mention File_Write_File1...etc.) which get's pretty messy and doesn't quite fit I don't think.

The solution to this problem that I'm working on is that I moved the FileIDs away from attributes and into a separate FilePermission table that has a column for the FileID and AuthorizationID. This allows me to assign FileIDs in a scalable fashion to a particular Authorization. Now I can do a CheckAccess for the user to see if they are authorized (Allow/AllowWithDelegation) the "File_Write" operation and then from there I want to check my new table to see if the specific file ID is included. I don't know the best way or any way right now to obtain the AuthorizationID that granted the user the Allow/AllowWithDelegation permission to the "File_Write" operation. How do I find this?

Sep 16, 2010 at 8:31 AM

In your architecture … the only way is to use an Authorization attribute for each user/role/group authorization like:

Attribute key: Authorization ID

Attribute Value: NNN

Regards,

Andrea.

__________________________________
Andrea Ferendeles
NetSqlAzMan Project Coordinator
E-mail aferende@hotmail.com Web http://netsqlazman.codeplex.com