AzMan, ADAM, IdentityBlog, and Permission Manager
Thanks for the respones to my last post. Here are a few more Authentication and Authorization resources:
AzMan article on MSDNhttp://msdn.microsoft.com/msdnmag/issues/03/11/AuthorizationManager/
AzMan Team Blog on MSDNhttp://blogs.msdn.com/azman/
Permission Managerhttp://www.gotdotnet.com/workspaces/workspace.aspx?id=762350f9-7d40-44ca-8ec0-4655e1a7682b
This worspace is for a Permission manager and a BizRule Manager for
ASP.Net 2.0. It's a provider based solution and with the PM, you can
add permission to object for roles and users. With the BizRule Manager,
you can specify rules that should be executed in a specific order etc. Here's a summary of it from Cory Isakson's blog:
"PM works by allowing the developer to create an abstracted permission
object that implements IAccessObject. This is simple to implement with
basic name and ID properties. The object then is used with the
PermissionManager to create named permissions. The sample has a news object that is used to create various permissions. These permissions are completely separate from Users and Roles until you map them together. For example, within the news permission set we may want a print and copy permission. Using the PermissionManager static methods we make simple calls like: PermissionManager.CreatePermission(news.SourceGroup,
"Copy", "Copy a document"); to create the Copy Permission. When we
want to map a real Role to the Copy permission of the news object we
simply execute a method like this: PermissionManager.SetPermissionForRole("Copypeople", news, "Copy");. This maps the Role of Copypeople to the permission of Copy on the news object. news really is just an object for grouping of permissions.
Each application could have its own set or several sets. Through the
provider model permission sets could also be shared across applications
by pointing them at the same data source. This abstraction model
allows us as developers to have as many application permissions as we want without needing matching security roles for each one of them."
Source: http://blog.coryisakson.com/PermaLink,guid,726794b7-4cc8-47d0-a9bb-2000b0b6c91e.aspx
Another very good resourcs is Kim Cameron's Identity Blog:
http://www.identityblog.com/
AzMan looks very good, but unfortunately, I don't see any ready examples or hype about "custom authorization". The situation I am in requires that the return value of a given access check is determined not by any persistent role or stored value, but by a just-in-time operation that evaluates a complicated and variable set of properties and database states. This should be very easy to achieve with the appropriate hook or event handler wired into the access checking mechanism.
I'm sure this capability is in there somewhere.
The flow of events I'm thinking of is something like:
- User browses to web site at ShowOrders.aspx
- ShowOrders.aspx has a grid or something with a column with a special feature for some Whiz Bang extra feature that members with a certain number of purchase history and a minimum level of positive feedback from other users. Let's wrap up the logic into a named ID of "AccessWhizBang"
- Before rendering the WhizBang button, the system must determine whether the user meets those criteria at this moment in time.
- Ideally, it would make a call to some access checking function, passing in an enumerated or string value of AccessWhizBang along with the User IPrincipal instance.
- When the Access Checking logic gets to the point where its ready to determine whether the user qualifies for AccessWhizBang, it needs to delegate to user specified code, not to a persistent store.
This is why I'm thinking to just use IsInRole and make it perform the programmatic check within my custom IPrincipal. I can see value to the AzMan and PermissionManager approach, but only when explicit groups and tasks and permissions are defined and stored and are not dependent on time sensitive transient conditions.