I want to implement role based access control
I wanted to implement role based access control (RBAC). Is there any samples for working on this.
Our objective is to use console based application and implement role based access control
Considering example of usernamepasswordcalculatorservice which is there in march ctp 2009.
scenario
Consider that we are having two users A and B
User A should have access to Calculator.Add,Calculator.Subtract
User B should have access to Calculator.Multiply,Calculator.Divide
how can we achive this?
What settings are required in accesscontrolservice?
What are the code changes required?
Can you please help us in solving this scenario?
Finally i wanted to ask you that can we use email id as claim in Access Control Service
input claim type : email value UserA@xxxx.com Issuer accesscontrol.windows.net
output claim type: action value Calculator.Add Issuer solutionname.accesscontrol.windows.net
Code
code
public static void DemandActionClaim(string claimValue)
{
foreach (ClaimSet claimSet in OperationContext.Current
.ServiceSecurityContext
.AuthorizationContext
.ClaimSets)
{
foreach (Claim claim in claimSet)
{
if (AccessControlHelper.CheckClaim(claim.ClaimType,
claim.Resource.ToString(),
"http://docs.oasis-open.org/wsfed/authorization/200706/claims/emailaddress",
claimValue))
{
if (AccessControlHelper.IsIssuedByIbn(claimSet))
{
return;
}
}
}
}
throw new FaultException("Access denied.");
}
Awaiting for your reply- Edited byvinayrajaram Monday, June 29, 2009 2:59 AMmodifications
- Edited byvinayrajaram Monday, June 29, 2009 3:00 AMmodifications
All Replies
- Using e-mail is possible, but not a very robust solution, since e-mail addresses can change quite often. It would be better to use something like a User ID that cannot change. But then it all depends on where your user's will be authenticated. If you use Active Directory and Geneva Server, you have no problems, if you use Live ID the only information we can get right now is the email address (which is a WLID claim, issued by live.com)
Second point, if you want to implement Role Based access control, you need roles. Which means your claims mapping would be something like this
Input claims : WLid = userA@live.com, issued by live.com Output claim : Role = CalcSimple
Input claims : Role = CalcSimple, issued by yoursolution.accesscontrol.windows.net Output claim : Action = Calculator.Add
Input claims : Role = CalcSimple, issued by yoursolution.accesscontrol.windows.net Output claim : Action = Calculator.Substract
Input claims : WLid = userB@live.com, issued by live.com Output claim : Role = CalcComplex
Input claims : Role = CalcComplex, issued by yoursolution.accesscontrol.windows.net Output claim : Action = Calculator.Multiply
Input claims : Role = CalcComplex, issued by yoursolution.accesscontrol.windows.net Output claim : Action = Calculator.Divide
As you can see, the rules can be chained. With this design, you can change your roles and add a Square operation to role CalcComplex without having to modify the rules for every user.
Last point, Live ID authentication through ACS can (as far as I know) only be used in web based applications. For console application, you would have to use the Live SDK, or another identity provider. I also do not think the username/password authentication illustrated in the Calculator sample is meant to be used for production application. I even remember reading it would be removed before ACS goes into production. You can either authenticate using ACS and some claims based identity provider, like Geneva Server, or handle authentication yourself in your app through some "classic" method (like AD or username/password DB). In this case, check this link for an interesting way to use this : http://blogs.msdn.com/justinjsmith/archive/2009/03/24/tokenclient-mix-introduction.aspx - thank you Stephane GUNET
