Dynamic access and authorization

Topics: User Forum
Aug 7, 2007 at 5:28 PM
How could be NBusiness adapted to support dynamic authorization of actions and access to fields of entities? From what I've understood, NBusiness currently allows me to easily specify static (or constant) access and authorization rules like "this field of this entity can only be read by users in Supervisors role" and "this entity can only be inserted by users in Administrators role". What would it take to extend NBusiness to also support something like "this entity can only be fetched by following users"?

Real world example would be an application which maintains a collection of entities (e.g. files) and users in Administrators role can selectively assign rights to those entities to selected users (e.g. allow to see the file, see file properites, change file properites, change file contents etc.).

I guess first think would have to be to extend E# authorization syntax to allow to somehow specify the dynamic source of the list of users which would apply to the rule, and then one could add new project-specific templates and new authorize action types. Or is there some better solution?
Aug 9, 2007 at 6:22 PM
Actually I was just talking about this with someone else yesterday. We were talking about a slightly different problem though which is to have dynamic authorization based on the values of the entity. For example if you had a State field, you might want to say "When the entity is in this state only allow these users to update it". Which is dynamic beyond simply roles and users... So just as I was reading your post here I had an idea of how to do this.

You could have a system sort of like the validation rules, where you have the ability to create custom validation rules and pick which one to use for each validation case. In your case what we might end up with is something like "RoleAuthorizationRule" and "UserAuthorizationRule" classes and in the case I outlined above you might need a "ValueRoleAuthorizationRule" class. Your E# syntax would look like this:

using NBusiness.Data.Authorization;
authorize allow fetch role "*";
authorize allow fetch user "justinc";
authorize allow update valuerole State, 1, "Admin";
authorize allow update valuerole State, 2, "Users";

The third parameter would be the authorization rule to use, the following parameters would be the values to submit to authorization rule as arguments. How does this sound? NBusiness would come with the most common authorization rules but it would be extensible to any developer by simply adding a reference to an assembly (or creating one in your entity library) and adding the correct "using" statement above the entity that needs the rule.

What do you think about having ( ) around the parameters? Also should those rules be role or Role, ValueRole or valuerole? I'm debating against the all lowercase vs. the Pascal case because I wanted it to seem more like a keyword than an object... but perhaps it would make more sense as an object and Pascal casing.

authorize allow fetch role("*");
authorize allow fetch valuerole(State, 1, "Administrators");

Either way I would want to trim down the name similar to the way Attribute names are trimmed down in C#.