Scott on Writing

Musings on technical writing...

Specifying Authorization Rules for the Business Logic or Data Access Layers (BLL/DAL)

In my Limiting Data Modification Functionality Based on the User (C# version) tutorial, I show how to adjust the functionality at the presentation layer based on the “currently logged on user.” (The demo doesn't actually setup the membership and roles systems, and rather allows the visitor to pick who they are logged on as from a drop-down list. See my Examining ASP.NET 2.0's Membership, Roles, and Profile article series for more information.)

One question I have received more than a couple of times is how to extend the permission-based business rules down into the Business Logic Layer and/or Data Access Layer. That is, how can I configure my BLL so that if my presentation layer has a bug or whatever, a person who is not authorized to, say, delete a record, is forbidden from doing so.

There are a couple of ways. One way is to add the logic programmatically to your BLL or DAL. You can access information about the currently logged in user in these layers using the Membership or Roles classes in the .NET Framework, like so:

    1 public bool AddProduct(...)
    2 {
    3     if (!Roles.IsUserInRole("Administrator"))
    4         throw new System.Security.SecurityException("You do not have permission to add a new product to the system.");
    5 
    6     ...

Alternatively, you can specify authorization rules using PrinciplePermissionAttributes, as discussed by Scott Guthrie in his blog entry Adding Authorization Rules to Business and Data Layers using PrincipalPermissionAttributes.

With Scott Guthrie's approach, your BLL or DAL's code would include attributes defining the permissions required.

using System;
using System.Security.Permissions;

[PrincipalPermission(SecurityAction.Demand, Authenticated = true)]
public class EmployeeManager
{
    [PrincipalPermission(SecurityAction.Demand, Role = "Manager")]
    public Employee LookupEmployee(int employeeID)
    {
       // todo
    }

    [PrincipalPermission(SecurityAction.Demand, Role = "HR")]
    public void AddEmployee(Employee e)
    {
       // todo
    }
}

The benefits of PrincipalPermissionAttribute, as noted by Scott, are:

“The PrincipalPermissionAttribute isn't tied to any specific authentication mode. It will work with Forms Authentication, Windows Authentication, Passport Authentication, or any custom authentication mode you want to invent. It will also work with any Role implementation I might use (so if you build or plug-in your own Role Provider in ASP.NET it will just work).

“The PrincipalPermissionAttribute type is implemented in the standard CLR mscorlib assembly that all .NET projects compile against. So it isn't ASP.NET specific, and can be used within any application type (including Windows and Console applications). In addition to making it more generically useful, this makes it easier to unit-test business/data libraries built with it.”

posted on Wednesday, October 04, 2006 4:43 PM

Feedback

# re: Specifying Authorization Rules for the Business Logic or Data Access Layers (BLL/DAL) 10/10/2006 10:02 AM Ben Strackany

Also it does seem like multiples are allowed (at least per the docs http://msdn2.microsoft.com/en-us/library/system.security.permissions.principalpermissionattribute.aspx) so for multiple roles you could do

[PrincipalPermission(SecurityAction.Demand, Role = "Administrator")]
[PrincipalPermission(SecurityAction.Demand, Role = "HR")]
public void AddEmployee(Employee e)
{
// todo
}

to allow either HR or Administrators to call AddEmployee.

Also, to just restrict methods to logged-in users, do

[PrincipalPermissionAttribute(SecurityAction.Demand, Authenticated=true)]
public void AddEmployee(Employee e)
{
// todo
}

which is a nice thing to put in a DAL or BLL so that you can require authentication even if the user of your DLLs forgets or avoids web.config permissions.

# Authorization Roles for ASP.NET 2.0 10/25/2006 6:57 AM Giddy Up! - Erik Lane's Blog

Title:

Name:

Url:

Enter the code you see:

Comments

Remember Me?

March 2010

Comment Stats

Day	Total	% of Total
Sunday	205	6.8%
Monday	425	14.1%
Tuesday	519	17.2%
Wednesday	556	18.4%
Thursday	580	19.2%
Friday	547	18.1%
Saturday	188	6.2%
Total	3020	100.0%

Hour¹	Total	% of Total
12:00 AM	78	2.6%
1:00 AM	81	2.7%
2:00 AM	68	2.3%
3:00 AM	82	2.7%
4:00 AM	69	2.3%
5:00 AM	126	4.2%
6:00 AM	119	3.9%
7:00 AM	181	6.0%
8:00 AM	192	6.4%
9:00 AM	158	5.2%
10:00 AM	188	6.2%
11:00 AM	193	6.4%
12:00 PM	201	6.7%
1:00 PM	184	6.1%
2:00 PM	169	5.6%
3:00 PM	135	4.5%
4:00 PM	115	3.8%
5:00 PM	107	3.5%
6:00 PM	101	3.3%
7:00 PM	107	3.5%
8:00 PM	92	3.0%
9:00 PM	88	2.9%
10:00 PM	91	3.0%
11:00 PM	95	3.1%
Total	3020	100.0%

Comments by Blog Entry Date/Time

Day Entry Made	Avg.	Total
Sunday	5.00	160
Monday	4.80	384
Tuesday	4.04	477
Wednesday	7.39	680
Thursday	6.26	676
Friday	5.07	466
Saturday	4.78	177
Total	5.40	3020

Hour¹ Entry Made	Avg.	Total
12:00 AM	5.29	37
1:00 AM	1.00	2
5:00 AM	0.00	0
7:00 AM	3.85	50
8:00 AM	3.72	134
9:00 AM	6.06	297
10:00 AM	5.63	276
11:00 AM	4.22	194
12:00 PM	6.16	351
1:00 PM	3.09	133
2:00 PM	4.89	230
3:00 PM	7.67	322
4:00 PM	4.00	108
5:00 PM	6.07	170
6:00 PM	4.64	116
7:00 PM	8.95	188
8:00 PM	8.63	164
9:00 PM	5.00	115
10:00 PM	6.31	101
11:00 PM	4.57	32
Total	5.40	3020

# re: Specifying Authorization Rules for the Business Logic or Data Access Layers (BLL/DAL) 10/10/2006 10:02 AM Ben Strackany

# Authorization Roles for ASP.NET 2.0 10/25/2006 6:57 AM Giddy Up! - Erik Lane's Blog

Scott on Writing

Specifying Authorization Rules for the Business Logic or Data Access Layers (BLL/DAL)

Feedback

My Links

Archives

Post Categories

Comment Stats

Comments by Blog Entry Date/Time

Blog Stats

Favorite Web Sites

My Books

My MSDN Articles