AzMan 嵌套角色未找到角色中的用户
我正在将 AzMan (1.0) 用于 ASP.Net Web 应用程序,并且我有一个关于嵌套角色的问题。
假设我有以下角色: 我的应用程序 我的应用程序用户 我的应用管理 MyAppSupport
大多数情况下,所有用户 (MyApp) 都可以访问该应用程序,但某些功能将特定于其他角色。
我想以声明方式将对网页的访问限制为 MyApp 角色的成员。
[PrincipalPermission(SecurityAction.Demand, Role = "MyApp")]
我将检查 User.IsInRole 或使用 AzMan API 来检查代码中的操作权限。
用户被分配给较低级别的角色(用户、管理员、支持),并且这些角色将添加到 MyApp 角色。
问题是,当我检查用户是否是 MyApp 角色的成员时,他们不是,即使他们所在的角色属于 MyApp 角色。检查这一点的唯一方法是递归地遍历所有角色吗?这意味着我无法使用声明性安全性,或者为此我必须将所有用户添加到顶级组(不理想)。
I'm using AzMan (1.0) for an ASP.Net web app, and I have a question about nested Roles.
Say I have the following roles:
MyApp
MyAppUser
MyAppAdmin
MyAppSupport
For the most part, all users (MyApp) can access the app, but some functions will be specific to the other roles.
I want to declaratively restrict access to the web pages to members of the MyApp role.
[PrincipalPermission(SecurityAction.Demand, Role = "MyApp")]
I will check User.IsInRole or use the AzMan API to check for operation permissions within my code.
The users are assigned to the lower level roles (user, admin, support) and those roles are added to the MyApp role.
The problem is that when I check if the user is a member of the MyApp role, they aren't, even though the role they are in belongs to the MyApp role. Is the only way to check this is to recursively go through all the roles? That'd mean I cant use the declarative security, or to do so I'd have to add all users to the top level group as well (not ideal).
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
听起来您希望在对
IsInRole()的调用中支持复合角色定义(其中角色定义被定义为包含其他角色定义)。我认为如果您使用组继承和角色分配,您会得到您想要的结果。换句话说,不要依赖
IsInRole遵循“MyApp”的角色定义来确定角色定义“MyAppAdmin”是该定义的一部分,而是使用组创建继承,然后分配使用角色分配将一个或多个组添加到您的角色定义。您可以创建一个“管理员”组,该组可能是“所有人”组的成员。我真的认为你的角色名称确实是更好的组名称。角色表示某些能力,而不是根据用户的权限对用户进行分类。这就是团体的用途。
例如,假设大多数用户(不是管理员或支持人员)对您的应用程序具有只读访问权限。我倾向于将该角色称为“查看者”,并为其分配任务或操作,使该角色的用户只能查看(而不能编辑)任何数据。我会将每个人分配给该角色(无论是只与一组还是几组一起完成并不重要)。 “支持”角色允许分配给它的用户执行某些操作(或任务分组操作)。只有某些人会被分配到该角色(同样,也许他们是单独分配的,或者我有一个名为“客户支持代表”的组 - 并不重要)。
在我的应用程序中,我可以检查
IsInRole("Viewer")并且每个用户都将担任该角色。但是,如果我检查IsInRole("Support"),则只有分配给该角色的“客户支持代表”组中的人员才会返回 True。It sounds like you're expecting composite Role Definition (where a Role Definition is defined to include other Role Definitions) to be supported in the call to
IsInRole(). I think you'd get the results you want if you used Group inheritance and Role Assignment instead.In other words, rather than depending on
IsInRoleto follow the Role Definition for "MyApp" to determine that the Role Definition "MyAppAdmin" is part of that definition, create the inheritance using Groups instead, and then assign one or more groups to your Role Definition using Role Assignment. You could create an "Administrators" group, which might be a member of the "Everyone" group.I'm really thinking that your role names are really better group names. A role signifies certain capabilities, not a classification of users based on their rights. That's what a group is for.
For example, suppose that most users (not admins or support) have read-only access to your app. I tend to call that role "Viewer" and I assign it the tasks or operations that allows users in that role only the ability to view, not edit, any data. I would assign everyone to that role (whether I do that with just one group or several doesn't really matter). The "Support" role allows users assigned to it to perform certain operations (or tasks grouping operations). Only some people would be assigned to that role (again, maybe they are assigned individually, or I have a group named "Customer Support Reps" -- doesn't matter).
In my app, I could check
IsInRole("Viewer")and everyone who is a user will be in that role. But if I checkIsInRole("Support"), only the people in the "Customer Support Reps" group assigned to that role would return True.