Overview
To perform declarative permission checks, you use attributes. AzManPermissions contains AzManOperationPermissionAttribute for directly connected and AzManOperationRemotePermissionAttribute for remotely connected (through a service) authorization stores.

Examples of using declarative operation permission checks:
Directly connected authorization store
    [AzManOperationPermission(SecurityAction.Demand, Operation = 1)]
    public void DoSomeThing()
    {
      //Do something
    }

Remotely connected authorization store
    [AzManOperationRemotePermission(SecurityAction.Demand, Operation = 1)]
    public void DoSomeThing()
    {
      //Do something
    }


Applying multiple permission attributes
Sometimes you have to write code that needs to be performed by multiple operations (for example a common method which is re-used in multiple operations), you need more than one attribute to be applied to your code. It is possible with AzManPermissions. When you apply multiple attributes, the user is allowed to perform the operation if at least one attribute enables her to do this. So, if she doesn't have permission for the first operation, but has permission for the second, she will be authorized to perform the action.
    [AzManOperationPermission(SecurityAction.Demand, Operation = 1)]
    [AzManOperationPermission(SecurityAction.Demand, Operation = 2)]
    public void DoSomeThing()
    {
      //Do something
    }

(The sample is using directly connected authorization store, but the same works with remotely connected stores.)

Use enums instead of simple numbers
AzMan identifies each operation with a unique number. It's really hard to remember what a specific number means. I suggest you to create an enum, where the enum tags contain the operation identifiers. It makes your code much more readable.
For example:
  public enum Operations
  {
    Start = 1,
    SomeAction = 2,
    OtherAction = 3
  }

After you created this enum, you can use it in your permission checks:
    [AzManOperationPermission(SecurityAction.Demand, Operation = (int)Operations.Start)]
    public void DoSomeThing()
    {
      //Do something
    }

(The sample is using directly connected authorization store, but the same works with remotely connected stores.)

Important
Before you specify a demand for AzMan operation permission, you must set the current application domain's principal policy to the enumeration value WindowsPrincipal. By default, the principal policy is set to UnauthenticatedPrincipal. If you do not set the principal policy to WindowsPrincipal, a demand for AzMan operation permission will fail. You should execute the following code before you demand the principal permission:
AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal).

Last edited Aug 14, 2012 at 8:09 PM by pjenei, version 2

Comments

No comments yet.