dynamic tools for .net developers™  LaMarvin Home
home » constable » faq » custom roles

CAZE and different types of roles

One common way we can categorize roles is according to the mechanism role membership is determined:

Windows roles, for example, represent Windows user groups and the group membership is managed by the built-in Windows' APIs and administrative tools.

COM+ roles are stored in the COM+ catalog and the membership is managed by means of the COM+ APIs or the Component Services MMC snap-in.

Custom roles

Roles that use other mechanisms to determine membership are commonly called custom, or application-specific roles. Obviously, custom roles use custom mechanisms to determine role membership. These custom mechanisms commonly involve organizational hierarchies and other organization-specific or application-specific data.

As an example, suppose that the Reviewer role of the Document Approval application discussed in the tutorial should be defined in such a way that the Reviewer is member of a specific department within the company using the application. The organizational hierarchy must be used to determine the Reviewer role membership, perhaps by using ADSI, LDAP or a custom API. You can implement such scenario by defining a custom role class derived from the CAZE Role class and overriding the IsMember method, for example:
[Visual Basic]
Public Class ReviewerRole
  Inherits Role
  Public Overrides Function IsMember(principal As IPrincipal) As Boolean
    If principal Is Nothing Then
      Return False
    End If
    ' Consult the custom directory service to determine if the 
    ' principal.Identity.Name is member of the required 
    ' organizational unit.
    Return OrganizationalUnit.IsMember(principal.Identity.Name)
  End Function
End Class

public class ReviewerRole : Role
  public override bool IsMember(IPrincipal principal)
    if (principal == null)
      return false;
    // Consult the custom directory service to determine if the 
    // principal.Identity.Name is member of the required 
    // organizational unit.
    return OrganizationalUnit.IsMember(principal.Identity.Name);
The IsMember implementation calls a custom directory service API and passes it the current principal's identity name. The directory service determines if the passed-in identity is member of the required organizational unit and the result is returned as the IsMember's return value.

Custom principal

If a custom role resolution mechanism depends on the state of a business object, it is often simpler to use the provided ExtendedPrincipal class and implement the custom role resolution logic in such a way that it dynamically adds or removes roles from the ExtendedPrincipal.Roles collection. In order to illustrate this technique, let's redefine the Reviewer role of the Document Approval application once again: Reviewer is either a member of the "Administrators" local Windows group or, it can be any user as long as the document's title contains the word "public":
[Visual Basic]
documentRow As DataRow = <load the document row from database>

Dim docPolicy As AuthorizationPolicy = LoadDocPolicy()
docPolicy.CurrentState = _

Dim principal As New ExtendedPrincipal()
If documentRow("title").ToString().IndexOf("public") >= 0 Then
End If

docPolicy.CurrentPrincipal = principal

DataRow documentRow = <load the document row from database>;

AuthorizationPolicy docPolicy = LoadDocPolicy();
docPolicy.CurrentState = 

ExtendedPrincipal principal = new ExtendedPrincipal();
if (documentRow["title"].ToString().IndexOf("public") >= 0)

docPolicy.CurrentPrincipal = principal;
We've loaded a document from database and loaded and initialized the associated authorization policy.

After that, we've created an instance of the ExtendedPrincipal class and, based on the value of the document's title property, we've added the "Reviewer" role to the ExtendedPrincipal.Roles collection. By associating the ExtendedPrincipal with the policy, we've ensured that the policy gives the principal all permissions associated with the "Reviewer" role.

© 2002-2007 LaMarvin. All Rights Reserved.     [Terms of use]     [Privacy] This site doesn't open new browser windows.