ice.NET Key Concepts: Access Controls Lists (ACLs)

ACL-based authorization management is availabe for

• Folders
• Objects
• Model Packages
• Parties (Users, Groups and Roles)
• Profiles (built-in and custom application functions)

Together with the organization management functionality, ice.NET provides a sophisticated solution for efficient management of object-oriented as well as functional access rights.

Example

This example shows how to use the IDatabaseRepository.AddAuthorization(Model.IFolder, string, int) method to add read/write permissions for user "John Doe" to a folder. If a higher permission level has already been set, this method does not reduce the level.

IFolder pFolder = Repository.GetFolderByKey("ICR.Data");

Repository.ExecuteTransaction(delegate()
{
    Repository.AddAuthorization(pFolder, "John Doe", AuthorizationLevel.Write);
});

This example shows how to use the IDatabaseRepository.SetAuthorization(Model.IFolder, string, int) method to set read permissions for user "John Doe" to a folder. If a higher permission level has already been set, this method reduces the level.

IFolder pFolder = Repository.GetFolderByKey("ICR.Data");

Repository.ExecuteTransaction(delegate()
{
    Repository.SetAuthorization(pFolder, "John Doe", AuthorizationLevel.Read);
});

This example shows how to use the IDatabaseRepository.RemoveAuthorization(string, string) method to remove all permissions for group "Support Engineers" from the profile "System.Development". Notice that profiles are identified by their name.

Repository.ExecuteTransaction(delegate()
{
    Repository.RemoveAuthorization("System.Development", "Support Engineers");
});

This example shows how to use the IDatabaseRepository.GetAuthorizations(Model.IObject) method to retrieve all authorized parties together with their permission level for a specific object.

IObject pObject = Repository.GetObject(objectId);

AuthorizationEntry[] aAuthorizations = GetAuthorizations(pObject);

foreach (AuthorizationEntry sAuthorization in aAuthorizations)
{
    Console.WriteLine(sAuthorization.PartyName + ": " + sAuthorization.Authorization);
}

This example shows how to use the IDatabaseRepository.GetAuthorizationLevel(Model.IFolder, string) method to retrieve the authorization level for user "John Doe" on a specific folder.

IFolder pFolder = Repository.GetFolderByKey("ICR.Data");

int level = Repository.GetAuthorizationLevel(pFolder, "John Doe");

This example shows how to use the IDatabaseRepository.HasAuthorization(Model.IFolder, string, int) method to find out if user "John Doe" has read permissions on a specific folder. This method considers the group/role memberships of the user (recursively) when calculating the result.

IFolder pFolder = Repository.GetFolderByKey("ICR.Data");

if (Repository.HasAuthorization(pFolder, "John Doe", AuthorizationLevel.Read))
{
    Console.WriteLine(pFolder.Name + " is readable.");
}

This example shows how to use the IDatabaseRepository.CheckAuthorization(Model.IFolder, string, int) method to find out if user "John Doe" has read permissions on a specific folder. This method considers the group/role memberships of the user (recursively) when calculating the result. If the required effective permission is not available, this method throws a AuthorizationException that describes the available and missing permission level.

IFolder pFolder = Repository.GetFolderByKey("ICR.Data");

Repository.CheckAuthorization(pFolder, "John Doe", AuthorizationLevel.Read);

Console.WriteLine(pFolder.Name + " is readable.");