Multiple Role-Specific Access Control Rules

Labels
AJAX(112) App Studio(7) Apple(1) Application Builder(245) Application Factory(207) ASP.NET(95) ASP.NET 3.5(45) ASP.NET Code Generator(72) ASP.NET Membership(28) Azure(18) Barcode(2) Barcodes(3) BLOB(18) Business Rules(1) Business Rules/Logic(140) BYOD(13) Caching(2) Calendar(5) Charts(29) Cloud(14) Cloud On Time(2) Cloud On Time for Windows 7(2) Code Generator(54) Collaboration(11) command line(1) Conflict Detection(1) Content Management System(12) COT Tools for Excel(26) CRUD(1) Custom Actions(1) Data Aquarium Framework(122) Data Sheet(9) Data Sources(22) Database Lookups(50) Deployment(22) Designer(177) Device(1) DotNetNuke(12) EASE(20) Email(6) Features(101) Firebird(1) Form Builder(14) Globalization and Localization(6) How To(1) Hypermedia(2) Inline Editing(1) Installation(5) JavaScript(20) Kiosk(1) Low Code(3) Mac(1) Many-To-Many(4) Maps(6) Master/Detail(36) Microservices(4) Mobile(63) Mode Builder(3) Model Builder(3) MySQL(10) Native Apps(5) News(18) OAuth(9) OAuth Scopes(1) OAuth2(13) Offline(20) Offline Apps(4) Offline Sync(5) Oracle(11) PKCE(2) Postgre SQL(1) PostgreSQL(2) PWA(2) QR codes(2) Rapid Application Development(5) Reading Pane(2) Release Notes(183) Reports(48) REST(29) RESTful(29) RESTful Workshop(15) RFID tags(1) SaaS(7) Security(81) SharePoint(12) SPA(6) SQL Anywhere(3) SQL Server(26) SSO(1) Stored Procedure(4) Teamwork(15) Tips and Tricks(87) Tools for Excel(2) Touch UI(93) Transactions(5) Tutorials(183) Universal Windows Platform(3) User Interface(338) Video Tutorial(37) Web 2.0(100) Web App Generator(101) Web Application Generator(607) Web Form Builder(40) Web.Config(9) Workflow(28)
Archive
Blog
Saturday, February 25, 2012PrintSubscribe
Multiple Role-Specific Access Control Rules

Consider the following access control rule defined in the business rules class of the Northwind sample.

The rule will limit the list of customers to those from USA and having the Contact Title of Owner if the end user is not in the role of SuperUser.

C#:

using System;
using System.Data;
using System.Collections.Generic;
using System.Linq;
using MyCompany.Data;

namespace MyCompany.Rules
{
    public partial class CustomersBusinessRules : MyCompany.Data.BusinessRules
    {
        [AccessControl("Customers", "CustomerID",
            "select CustomerID from Customers " +
            "where Country = @Country and ContactTitle = @ContactTitle")]
        public void LimitAccessToCustomersFromUSA()
        {
            if (!UserIsInRole("SuperUser"))
            {
                RestrictAccess("@Country", "USA");
                RestrictAccess("@ContactTitle", "Owner");
            }
        }
    }
}

VB:

Imports MyCompany.Data
Imports System
Imports System.Collections.Generic
Imports System.Data
Imports System.Linq

Namespace MyCompany.Rules

    Partial Public Class CustomersBusinessRules
        Inherits MyCompany.Data.BusinessRules

        <AccessControl("Customers", "CustomerID", 
            "select CustomerID from Customers " + 
            "where Country = @Country and ContactTitle = @ContactTitle")> 
        Public Sub LimitAccessToCustomersFromUSA()
            If (Not UserIsInRole("SuperUser")) Then
                RestrictAccess("@Country", "USA")
                RestrictAccess("@ContactTitle", "Owner")
            End If
        End Sub
    End Class
End Namespace

This is the effect of the method LimitAccessToCustomersFromUSA  when a list of customers presented to the standard user account admin. This user account has two roles associated with it - Administrators and Users. The absence of the SuperUser role activates the restriction.

image

What if you want to expand this rule and apply another SQL-based restriction to the same data controller for a different user role?

Simply add another method to the business rules class. For example, the following method will extend the restrictions to include customers from United Kingdom located in the city of London. The restriction will apply to all users. Notice that we have specified @Country2 parameter to ensure that there will be no conflict with the parameter @Country if both access control rules are applied at runtime.

C#:

[AccessControl("Customers", "CustomerID",
    "select CustomerID from Customers " +
    "where Country = @Country2 and City = @City")]
public void ShowUnitedKingdomCustomers()
{
    if (UserIsInRole("Users"))
    {
        RestrictAccess("@Country2", "UK");
        RestrictAccess("@City", "London");
    }
}

VB:

<AccessControl("Customers", "CustomerID",
    "select CustomerID from Customers " +
    "where Country = @Country2 and City = @City")>
Public Sub ShowUnitedKingdomCustomers()
    If (UserIsInRole("Users")) Then
        RestrictAccess("@Country2", "UK")
        RestrictAccess("@City", "London")
    End If
End Sub

This is the view of customers presented to the admin user. Both access control rules have a cumulative effect if conditional expressions in methods LimitAccessToCustomersFromUSA  and ShowUnitedKingdomCustomers are evaluated as true. The admin user account belongs to Users and is not a SuperUser.

image