locked
How to determine if base authorization has additional type RRS feed

  • Question

  • Use Case:

    We'd like to add functionality to our web site that includes the ability to upload data into the CCD type.  If I run the following code today:

     

    HealthRecordAccessor accessor = new HealthRecordAccessor(offlineConn, new Guid(_enrollment.RecordId));List<Guid> items = new List<Guid>();
    items.Add(CCD_THING_GUID);
    Collection<HealthRecordItemTypePermission> permissions = accessor.QueryPermissions(items);

    Result:  permissions.count = 0.
    As expected, the user doesn't have access to the CCD type. 

    However, in our next iteration, I want to enable the CCD type.  So, if I check the CCD type in the Offline and Online configuration for our base authorization and re-run the above code I get an "access denied" exception when attempting the call to QueryPermissions. 

    My goal here is to detect if an existing account is not using the latest authorization set (which would include the CCD type).  How do I detect this?  In other words, we'd like to guide all of our existing users to re-authorize their accounts against the latest authorization set.

    Regards,
    Scott

    Tuesday, November 3, 2009 11:01 PM

Answers

  • If you add extra data type permissions to the application id, all the existing offline authorizations (and online too) will be effectively invalid.

    Which means that you will NOT be able to even QueryPermissions using the context of that user.

    One way you may want to consider is to use optional authorization. 

    This way, you can keep the existing authorizations intact, new users can authorize CCD, and allow exsiting users to authroize CCD without loosing everyone's authorization..

    Start reading on it here:

    http://blogs.msdn.com/healthvault/archive/2008/04/18/pb3-feature-optional-authorization.aspx


    Raj HealthVault Developer Tool http://xray.getrealconsulting.com
    Friday, November 6, 2009 9:00 PM

All replies

  • Hello Scott,

    Can you please specify your application ID? Also can you please explain when you are getting the "access denied" error a bit more descriptively?

    Thanks and Regards,
    Aneesh D.
    Tuesday, November 3, 2009 11:32 PM
  • Aneesh-- from the above, I believe Scott has actually already provided enough info.  The question is how to query for which permissions the current user/record has authorized, and how to get users to re-authorize using the new permissions so that existing users who have authorized the previous data type rules can authorize the new permissions request to use the CCD type.

    The access denied error is returned when the app tries to use new permissions with records that authorized using an older set of permissions that lack the newly added permissions, and is solved via having the user reauthorize (via redirecting the user to HV's Shell Redirect interface with appropriate target and parameters).
    Wednesday, November 4, 2009 8:14 PM
  • Lowell,

    We're almost there.  The issue is even more pervasive than an exception raised on the QueryPermissions call.  In fact, any attempt by the end user to Get data (for example) will also raise the "access denied" exception. 

    To re-create:
    1. Created initial application configuration with Rule Name: "MyAppConfigRule"
    2. Created account for "Mouse, Mickey" and authorized all types per the "MyAppConfigRule" configuration.
    3. Update the "MyAppConfigRule" to include a new type, "CCD".
    4. Try to get data using the "Mouse, Mickey" account.

    BOOM!  Access Denied.

    The question remains.  How do I detect this condition where the authorization has been extended, but the user is still authorized under the old set?  Once I've detected this condition, I can redirect users to the re-auth page.

    Regards,
    Scott
    Thursday, November 5, 2009 12:37 AM
  • Hello Scott,

    I am trying to reproduce this issue. I will get back to you with the results soon.

    Thanks and Regards,
    Aneesh D.
    Thursday, November 5, 2009 5:34 PM
  • Hello Scott,

    Please look at Eric's answer in the following forum thread, saying QueryPermissions() doesn't work in offline mode.

    You will have to verify the permissions from some Online page and then accordingly redirect the user to authorize the new set of data types.
    Please let me know whether even after authorizing the user with the new set of data types you are getting an access denied error?

    Thanks and Regards,
    Aneesh D.
    Thursday, November 5, 2009 8:58 PM
  • Aneesh,

    Eric's answer doesn't explain why I get the same "access denied" exception when making a call like:

    searcher.GetMatchingItems()[0];

    Right?

    Scott
    Thursday, November 5, 2009 10:39 PM
  • Scott,

    While the user is reauthorizing the application are you getting the new record id and using it to access the record?

    Thanks and Regards,
    Aneesh D.
    Thursday, November 5, 2009 11:18 PM
  • Hold on.  You're one step ahead of me.  I'm running the QueryPermissions command to determine if a given user has been granted authorization to the "CCD" type.  However, since QueryPermissions is raising an exception once I extend an existing rule to include CCD in App Config, I can't determine if the user should be re-authorized.  I must not be communicating this issue to you well enough.  Please forward to Chris Tremonte if this is still unclear.  Note:  I saw another thread on the forum today that is probably related from O.G. Sentinel.

    Regards,
    Scott 
    Friday, November 6, 2009 8:46 PM
  • If you add extra data type permissions to the application id, all the existing offline authorizations (and online too) will be effectively invalid.

    Which means that you will NOT be able to even QueryPermissions using the context of that user.

    One way you may want to consider is to use optional authorization. 

    This way, you can keep the existing authorizations intact, new users can authorize CCD, and allow exsiting users to authroize CCD without loosing everyone's authorization..

    Start reading on it here:

    http://blogs.msdn.com/healthvault/archive/2008/04/18/pb3-feature-optional-authorization.aspx


    Raj HealthVault Developer Tool http://xray.getrealconsulting.com
    Friday, November 6, 2009 9:00 PM
  • Rajesh,

    Thanks for the response.  Optional Authorization was our "Plan B".  We'll proceed with that solution.  The link you sent will be very helpful. 

    Sincerely,
    Scott
    Friday, November 6, 2009 9:41 PM