ice.NET Key Concepts: Access Controls Lists (ACLs)
ACL-based authorization management is availabe for
- Folders
- Objects
- Model Packages
- Parties (Users, Groups and Roles)
- Profiles (built-in and custom application functions)
Together with the organization management functionality,
ice.NET provides a sophisticated solution for efficient management
of object-oriented as well as functional access rights.
Example
To manage and test permissions based on ACLs the IDatabaseRepository
interface provides a family of methods...
- AddAuthorization
- SetAuthorization
- GetAuthorizations
- GetAuthorizationLevel
- HasAuthorization
- CheckAuthorization
...that can be applied to all relevant ice.NET items:
- Folders
- Objects
- Packages
- Parties
- Profiles
The HasAuthorization and CheckAuthorization methods calculate the
effective permission, i.e. the permission level
after recursively evaluating group/role memberships. The implementation
of IDatabaseRepository must provide an efficient, optimized
algorithm to calculate the desired result.
This example shows how to use the IDatabaseRepository.AddAuthorization(Model.IFolder, string, int)
method to add read/write permissions for user "John Doe" to a folder. If a higher permission
level has already been set, this method does not reduce the level.
IFolder pFolder = Repository.GetFolderByKey("ICR.Data");
Repository.ExecuteTransaction(delegate()
{
Repository.AddAuthorization(pFolder, "John Doe", AuthorizationLevel.Write);
});
This example shows how to use the IDatabaseRepository.SetAuthorization(Model.IFolder, string, int)
method to set read permissions for user "John Doe" to a folder. If a higher permission
level has already been set, this method reduces the level.
IFolder pFolder = Repository.GetFolderByKey("ICR.Data");
Repository.ExecuteTransaction(delegate()
{
Repository.SetAuthorization(pFolder, "John Doe", AuthorizationLevel.Read);
});
This example shows how to use the IDatabaseRepository.RemoveAuthorization(string, string)
method to remove all permissions for group "Support Engineers" from the profile
"System.Development". Notice that profiles are identified by their name.
Repository.ExecuteTransaction(delegate()
{
Repository.RemoveAuthorization("System.Development", "Support Engineers");
});
This example shows how to use the IDatabaseRepository.GetAuthorizations(Model.IObject)
method to retrieve all authorized parties together with their permission level
for a specific object.
IObject pObject = Repository.GetObject(objectId);
AuthorizationEntry[] aAuthorizations = GetAuthorizations(pObject);
foreach (AuthorizationEntry sAuthorization in aAuthorizations)
{
Console.WriteLine(sAuthorization.PartyName + ": " + sAuthorization.Authorization);
}
This example shows how to use the IDatabaseRepository.GetAuthorizationLevel(Model.IFolder, string)
method to retrieve the authorization level for user "John Doe" on a specific folder.
IFolder pFolder = Repository.GetFolderByKey("ICR.Data");
int level = Repository.GetAuthorizationLevel(pFolder, "John Doe");
This example shows how to use the IDatabaseRepository.HasAuthorization(Model.IFolder, string, int)
method to find out if user "John Doe" has read permissions on a specific folder. This
method considers the group/role memberships of the user (recursively) when calculating the
result.
IFolder pFolder = Repository.GetFolderByKey("ICR.Data");
if (Repository.HasAuthorization(pFolder, "John Doe", AuthorizationLevel.Read))
{
Console.WriteLine(pFolder.Name + " is readable.");
}
This example shows how to use the IDatabaseRepository.CheckAuthorization(Model.IFolder, string, int)
method to find out if user "John Doe" has read permissions on a specific folder. This
method considers the group/role memberships of the user (recursively) when calculating the
result. If the required effective permission is not available, this method throws a
AuthorizationException that describes the available and missing permission level.
IFolder pFolder = Repository.GetFolderByKey("ICR.Data");
Repository.CheckAuthorization(pFolder, "John Doe", AuthorizationLevel.Read);
Console.WriteLine(pFolder.Name + " is readable.");