Databases Reference
In-Depth Information
CHAPTER
14
IN THIS CHAPTER
.
Ta ble Scaf f oldin g
.
Route Constraints
.
Web.Config Authorization Rules
.
Metadata Security API
.
Implementing Row-Level
Security
D
ynamic Data includes an extensible security system that
enables you to secure metadata-driven web applications at
several different levels. At the top level, you can control
whether a particular
entity
, such as Customer or Product, is
accessible through the pages dynamically generated from
page templates. At the next level down, you can configure
any given entity type to allow or deny users to perform
specific
actions
, or in other words, access the dynamically
generated List, Details, Insert, and Edit pages. At the lowest
level, the framework provides limited support for row-level
security and allows you to limit the set of rows a user will
be able to see through the dynamically generated web
pages, such as allowing a customer to see only the orders
they submitted and not everyone else's.
.
Security Annotations
In this chapter, you learn the specifics of different
approaches for implementing security in Dynamic Data
applications. The simplest and most straightforward
approach is to specify authorization rules in the
Web config-
uration
file. Based on the standard location-based configura-
tion syntax, this approach should be already familiar to
ASP.NET developers building WebForms and MVC applica-
tions. This approach supports both entity- and action-level
access control.
The second option to implementing security is based on
metadata
information. Although the Web.config-based
authorization rules work well to prevent unauthorized
access, they are not easily accessible in the dynamic
templates. Having simple programmatic access to rule defin-
itions, dynamic templates can not only prevent unautho-
rized access, but also
trim
the dynamically generated web
pages to hide inaccessible information and actions.
