AzManPermissions allows permission checks against Authorization Manager (AzMan) authorization stores at the operation level. Windows Authorization Manager is a role-based access control (RBAC) framework that provides an administrative tool to manage authorization policy and a runtime that allows applications to perform access checks against that policy.
Many sources suggest that you should use role checks in your software to ensure that the current user is authorized to perform a specific operation. It's not a bad idea, but I don't really like it, because this way you "wire" the security model into your application code, which means that when security related business needs change, you have to change the code. For example you write a method that creates a new order and write a role check (either declaratively or imperatively) in the method to ensure the user is in the Employees role because it was a requirement from your client. It works fine. But later the requirements change (they always change) and you have to allow every uthenticated user to place a new order. You have to change your code to allow the Authenticated users role to place orders. If you use operation level permission checks, you don't have to worry about that. You just define the Place order operation in AzMan and in your method you check whether the user is allowed to use the Place order operation. Your client decides what roles she needs, creates them with AzMan, allows performing operations to each role according to the current business requirements and assigns groups (or users) to the roles. It's a much more flexible approach.
AzManPermissions allows you to implement the operation level permission checks quick and easy. If you stay with role checks, AzMan still can help you.

Authorization stores
Authorization stores are repositories for authorization policy. They contain operation, tasks and roles to help you create nested permission levels. AzMan can store policy information in Active Directory, XML file or SQL Server. You can connect to an authorization store directly (you only need a connection string and an application name) or indirectly (through a service - for example if the store is in a SQL database, and clients are not allowed to connect to that server, you need a new, intermediate tier, like a service). AzManPermissions allows you to connect to AzMan stores both ways.

Declarative or imperative
.NET framework provides both declarative and imperative ways to perform permission checks. For an example, take a look at PrincipalPermissionAttribute and PrincipalPermission classes. AzManPermissions also allows you to perform permission checks both ways.

Last edited Aug 14, 2012 at 5:31 PM by pjenei, version 2


No comments yet.