Hey, this is my blog
It is somewhat abandoned.
Enterprise Software Authorization / Security
Security Thoughts:
There are generally three types of authorization in enterprise applications:
- Role based security - Which actions can a user do - aka role-based access control
- Entity level security - A user can only perform an Action on certain objects/data - aka row level security
- Field level security - A user can see or edit only certain fields of an entity – (this is really fine grained and usually a bad idea)
There is a framework that covers all 3 of these authorization types, Rhino Security. It allows authorization to be abstracted from the business logic as a cross-cutting concern. It is deigned to handle 1 & 2 above, but people have used it to implement 3.
Here is an example of the type of rules it can easily encompass:
Survey Entity:
A survey has a start date, an end date, can be marked as applicable to a specific population, may be public or private, etc.
View Restrictions:
The specification says that a survey that the user does not own should only be visible to a user iff:
- The survey is public
- The survey is active
- The survey has started
- The survey has not ended
- The survey is for a population that the user is a member of
Entity Group:
The key concept that separates it from standard role based security is the concept of an entity-group. Entity groups are group of, well, entities and users can be granted/denied access to them just like actions.
I would really love to see someone port this concept to the entity framework. It certainly might not be right for every project, but a cohesive strategy for access control would be a big leap forward compared to a lot of projects I’ve worked on.
Further Reading: