Can I leverage ACLs with my own objects? RRS feed

  • Question

  • I have a web server using forms identification that accesses a database.  Lets say the database has personnel records stored by department.  I want to be able to set permissions for users access to personnel records by department.  I need more than just role based security, as the administrator for one department is not the administrator for all.  The administrator for a department should be able to define who can read/write personnel records through the UI.  I want the same functionality as with directories and files (ie. the DirectorySecurity class), but on my own objects, eg. specify users as being members of groups and defining read/write/etc access to each department.  I can store an ACL on the database, but there doesn't seem to be any way of using it.  Am I barking up the wrong tree here?
    Tuesday, January 29, 2008 5:39 AM

All replies

  • Perhaps I should just answer my own question.  The short answer, is you can (sort of), but why would you.


    You can do it, because you can create a GenericPrincipal and load the userid with a dummy SID (eg. S-1-9-1-123 where 123 maps back to your userid) and the roles with SID strings representing the groups the user has access to (eg. S-1-9-2-456 where 456 maps to a group).  Then you can load an ACL string (SDDL) into a DirectorySecurity object and iterate through each rule checking if the user or one of the groups has access.  There doesn’t seem to be an easier way to do this, and I am not sure you can guarantee getting the rules in the right order.   Nevertheless, it is a vaguely workable approach.


    Assuming the data is coming from a database, then this check ought to be done on the database server.  The main problem is getting the credentials from the web server to the database server.  Obviously you can use the delegated model, but this has the disadvantage of being less scalable, but perhaps more significantly requires you to maintain users and groups on the database (do people do this?  In my experience, no).  Nevertheless, a user defined function could then be used to call a c# method that does the above check.  If the web server accesses the database with a single userid, then you will have to pass the user’s credentials from the web server to the database.  Then you can recreate a GenericPrincipal and pass it into the user defined function.


    Why would you do it this way, though?  You already have all of the data in the database indicating which groups a user is a member of and what access each user and group has to a record.  Ie. The data in the GenericPrincipal and ACL above.  The SQL to test an individual’s access is relatively straightforward.  It therefore boils down to the speed, scalability and maintainability of one approach versus the other.

    Here's hoping this drums up some form of debate.

    Thursday, January 31, 2008 1:17 AM