Databases Reference
In-Depth Information
[Authorization(
new Allow(Roles = “Manager, Employee”),
new Deny(Users = “*”)]
Without the ability to use multiple attributes and custom types, you are left only with
the primitive types, like strings and enumerations, which can be used in constant
expressions.
The
AuthorizationAttribute
also enables you to define action-level permissions by
including one or more
Actions
in the rule. For instance, here is how to permit employees
to access suppliers in Read-only mode while still giving the managers full access:
[Authorization(
Allow.Roles, “Manager”,
Allow.Roles, “Employee”, Actions.Read,
Deny.Users, “*”)]
partial class Supplier { ... }
Actions
is an enumerated type shown next. Notice that it represents a bit field, which
enables you to specify multiple actions in the same rule using the bitwise or operator (
|
in
C#). For instance, you could have allowed employees to read and update Suppliers by
specifying actions as
Actions.Read | Actions.Update
. Unless an
Actions
value is specified
in a rule explicitly, the
AuthorizationAttribute
assumes it to be
All
, which is why the
rule just described gives managers permission to perform all actions and limits customers
to read only access:
[Flags]
public enum Actions
{
None = 0x00,
Read = 0x01,
Insert = 0x02,
Update = 0x04,
Delete = 0x08,
All = Read | Insert | Update | Delete
}
As you can see, the
AuthorizationAttribute
enables you to express entity- and action-
level permissions on per-
user
or per-
role
basis. The resulting annotations closely mimic the
structure of the
<authorization>
configuration section with the exception of the
Actions
parameter, which is not available in the
<allow/>
and
<deny/>
elements. Although this
difference may be confusing at first, the resulting definitions of authorization rules is
much more compact than the typical web configuration needed for action-level rules due
to the need to create separate
<location/>
sections for each action. Attribute-based autho-
rization rules also allow you to change routing configuration without having to update
the rules in web.config.