Level Extreme platform
Subscription
Corporate profile
Products & Services
Support
Legal
Français
Declarative PermissionObject
Message
From
05/02/2004 20:32:05
Keith Payne
Technical Marketing Solutions
Florida, United States
 
 
To
04/02/2004 19:00:33
Keith Payne
Technical Marketing Solutions
Florida, United States
General information
Forum:
ASP.NET
Category:
Security
Title:
Re: Declarative PermissionObject
Miscellaneous
Thread ID:
00873486
Message ID:
00874674
Views:
17
Sorry about the confusion. I meant to say that you cannot concatenate the Demands. However, if you load the Identity object that is attached to the Principal with the proper roles, it will work the way it should.

Your Manager Identity would have it's own roles plus all of the roles that a Teller has (assuming that the Manager is allowed to perform all of the actions that a Teller may). Then you would change the declarative line to read:
    <PrincipalPermission(SecurityAction.Demand, Role:="AcctBalanceReader"), _
    WebMethod(Description:="Retreives a customer's balance from an account.")> _
    Public Function GetAccountBalance(ByRef Account As String) As Decimal
The key is to think of roles as verbs instead of nouns.

>Bob,
>
>I think you may be confusing "Role" with "Group". For instance, in SQL Server you have Users, Groups, and Roles. Roles would be "AcctBalanceReader", "DepositEnterer", "WithdrawalApprover", etc...
>Contrasted with groups such as "Managers" -> "Supervisors" -> "Tellers".
>A member of the Managers group would also be a member of Supervisors and Tellers. Groups are hierarchal. Roles are flat.
>
>The Principal class allows you to store all of the roles that a Group (and by inference, a User) is a member of in an array of strings. So a User/Group can have many roles and code-access security is designed around a User/Group performing many roles.
>
>Ugh, the brain shut down about 10 minutes ago. I hope you can understand my crummy writing.
>
>>>I would dynamically load the controls and programatically check for permission. If the user doesn't belong to the role the control doesn't get loaded.
>>
>>Right, but how about read only? I see it needing two roles for each field...
>>
>>ReadField
>>EditField.... If edit field role you make it a text box, if read field a lable, is neither than they don't get the control.
>>
>>Of course, how do you dynamically load controls on a web form... I think the controls will have to be there already. I figure a custom server control whre I add two properties to hold the required roles... Of, can you put the permission attribute on the constructor of the control? Hmmm...
>>
>>BOb
Previous
Next
Reply
Map
View

Click here to load this message in the networking platform