Can I access role authorization attributes from a role business rule?

Topics: General Topic, NetSqlAzMan Core
May 5, 2011 at 11:34 AM


We are evaluating NetSqlAzMan for use in a project and it looks really promising. The one area I'm not sure about is whether we can use it for per-resource authorization or not. From the documents and videos it seems like attributes are the way to go about this but I'm not exactly sure. Here is my scenario:

1. There are a number of 'projects'.

2. There are several project related roles: project manager, project assessor, project evaluator etc.

3. A User can be in one or more roles for each project and these are assigned on a per-project basis.

So the way I was thinking about doing this was:

1. Add each of the project roles to the store, set-up tasks, ops etc as normal.

2. When a user is assigned a role on a project , e.g. project manager he or she is added to the authorizations for that role.

3. Add an attribute to that authorization for the appropriate projectid. So if the user was a project manager on p1 and p2, his or her role authorization would have 2 attributes: p1 - true, p2 - true (true doesn't have any particular meaning here and could be blank).

4. Add a business rule for each role that takes project id in a context parameter. Compare this parameter against the list of attributes for the users authorization to determine if they are authorized or not. So if the app asks for a check if a user is authorized as a project manager on project p2, the biz rule will check if there is a p2 attribute for that user on the project manager authorization.


It's this last step that I'm not sure about. Is this possible? Is there a better way of doing it? For consistency I'd really like all authorization to be done in Azman, I don't want to have to pass the attributes back to the app and have it use those to self-authorize unless it's really necessary.

Thanks in advance for any help

May 5, 2011 at 4:55 PM

OK, I think I've figured out how to make it work.

The question still remains whether this is a good idea though?

Nov 29, 2011 at 8:11 PM

Hi PSutcliffe,

I am facing the same question and weighing whether to extend role provider or this one.

Do you mind share your solution and opinions?

Nov 30, 2011 at 9:03 AM
This discussion has been copied to a work item. Click here to go to the work item and continue the discussion.