none
security with principalpermissionsattribute and various AD environments RRS feed

  • Question

  • HI all,

    We have this code in one of our systems:

    [PrincipalPermission(SecurityAction.Demand,Role="svcPortal_admin_prod,svcPortal_admin_test,svcPortal_admin_dev")]

    however we have a problem where occasionally someone in TEST does something they shouldn't in prod, and these folks while some do have permissions in both, many don't, so I was just wondering if there is an easy way to do something like changing the role to be more dynamic so that "svcPortal_admin_{env}" might cause less issues...?

    If this is not an easy thing to do/wont solve this problem as easily as I think it will or there is a better place or way to catch/handle this kind of issue then we'll give it a miss or you can point me in a better direction.

    :)

    Thanks in advance for any insights.


    - sure I'm noJedi but that's no reason to stop trying to make stuff levitate! -

    Sunday, May 31, 2015 2:11 AM

Answers

  • >> so I was just wondering if there is an easy way to do something like changing the role to be more dynamic so that "svcPortal_admin_{env}" might cause less issues...?

    No, I am afraid that the string value that you set the Role parameter to must be a constant value that is known at compile time so this is not possible.

    >>If this is not an easy thing to do/wont solve this problem as easily as I think it will or there is a better place or way to catch/handle this kind of issue then we'll give it a miss or you can point me in a better direction.

    If you require more dynamic control over how the Roles property is assigned you could remove the attribute and use the PrincipalPermission class and its Demand method in the method itself:

    string role = "..."; //get role based on your logic...
    PrincipalPermission principalPerm = new PrincipalPermission(null, role);
    principalPerm.Demand(); //may throw a SecurityException that you can catch and handle

    Using declarative attributes is not the best options in situations like this.

    Hope that helps.

    Please remember to close your threads by marking helpful posts as answer and then start a new thread if you have a new question. Please don't ask several questions in the same thread.

    • Marked as answer by noJedi Tuesday, June 2, 2015 3:04 PM
    Sunday, May 31, 2015 8:54 PM

All replies

  • >> so I was just wondering if there is an easy way to do something like changing the role to be more dynamic so that "svcPortal_admin_{env}" might cause less issues...?

    No, I am afraid that the string value that you set the Role parameter to must be a constant value that is known at compile time so this is not possible.

    >>If this is not an easy thing to do/wont solve this problem as easily as I think it will or there is a better place or way to catch/handle this kind of issue then we'll give it a miss or you can point me in a better direction.

    If you require more dynamic control over how the Roles property is assigned you could remove the attribute and use the PrincipalPermission class and its Demand method in the method itself:

    string role = "..."; //get role based on your logic...
    PrincipalPermission principalPerm = new PrincipalPermission(null, role);
    principalPerm.Demand(); //may throw a SecurityException that you can catch and handle

    Using declarative attributes is not the best options in situations like this.

    Hope that helps.

    Please remember to close your threads by marking helpful posts as answer and then start a new thread if you have a new question. Please don't ask several questions in the same thread.

    • Marked as answer by noJedi Tuesday, June 2, 2015 3:04 PM
    Sunday, May 31, 2015 8:54 PM
  • I think this is good advice, thanks greatly.

    - sure I'm noJedi but that's no reason to stop trying to make stuff levitate! -

    Tuesday, June 2, 2015 3:05 PM