Saturday, February 25, 2012
Multiple Role-Specific Access Control Rules

Consider the following access control rule defined in the business rules class of the Northwind sample.

The rule will limit the list of customers to those from USA and having the Contact Title of Owner if the end user is not in the role of SuperUser.

C#:

using System;
using System.Data;
using System.Collections.Generic;
using System.Linq;
using MyCompany.Data;

namespace MyCompany.Rules
{
    public partial class CustomersBusinessRules : MyCompany.Data.BusinessRules
    {
        [AccessControl("Customers", "CustomerID",
            "select CustomerID from Customers " +
            "where Country = @Country and ContactTitle = @ContactTitle")]
        public void LimitAccessToCustomersFromUSA()
        {
            if (!UserIsInRole("SuperUser"))
            {
                RestrictAccess("@Country", "USA");
                RestrictAccess("@ContactTitle", "Owner");
            }
        }
    }
}

VB:

Imports MyCompany.Data
Imports System
Imports System.Collections.Generic
Imports System.Data
Imports System.Linq

Namespace MyCompany.Rules

    Partial Public Class CustomersBusinessRules
        Inherits MyCompany.Data.BusinessRules

        <AccessControl("Customers", "CustomerID", 
            "select CustomerID from Customers " + 
            "where Country = @Country and ContactTitle = @ContactTitle")> 
        Public Sub LimitAccessToCustomersFromUSA()
            If (Not UserIsInRole("SuperUser")) Then
                RestrictAccess("@Country", "USA")
                RestrictAccess("@ContactTitle", "Owner")
            End If
        End Sub
    End Class
End Namespace

This is the effect of the method LimitAccessToCustomersFromUSA  when a list of customers presented to the standard user account admin. This user account has two roles associated with it - Administrators and Users. The absence of the SuperUser role activates the restriction.

image

What if you want to expand this rule and apply another SQL-based restriction to the same data controller for a different user role?

Simply add another method to the business rules class. For example, the following method will extend the restrictions to include customers from United Kingdom located in the city of London. The restriction will apply to all users. Notice that we have specified @Country2 parameter to ensure that there will be no conflict with the parameter @Country if both access control rules are applied at runtime.

C#:

[AccessControl("Customers", "CustomerID",
    "select CustomerID from Customers " +
    "where Country = @Country2 and City = @City")]
public void ShowUnitedKingdomCustomers()
{
    if (UserIsInRole("Users"))
    {
        RestrictAccess("@Country2", "UK");
        RestrictAccess("@City", "London");
    }
}

VB:

<AccessControl("Customers", "CustomerID",
    "select CustomerID from Customers " +
    "where Country = @Country2 and City = @City")>
Public Sub ShowUnitedKingdomCustomers()
    If (UserIsInRole("Users")) Then
        RestrictAccess("@Country2", "UK")
        RestrictAccess("@City", "London")
    End If
End Sub

This is the view of customers presented to the admin user. Both access control rules have a cumulative effect if conditional expressions in methods LimitAccessToCustomersFromUSA  and ShowUnitedKingdomCustomers are evaluated as true. The admin user account belongs to Users and is not a SuperUser.

image