How to use CAZE with different types of objects

More often than not, applications expose more than one class of objects. Because an authorization policy is inherently tied to a single object type, it is generally recommended to define separate authorization policies for different types of application objects.

In a sense, an application itself can be thought of as an object type and it is usually helpful to define an authorization policy for the application as a whole. For example the Document Approval application (discussed in the tutorial) defines a separate authorization policy for the document type and for the whole application. The document authorization policy contains actions and properties appropriate for document instances, such as update document or send document to approval. The application authorization policy contains actions fitting the application as a whole, for example create new document.

Cautious reader probably noted that the create new document action really belongs to the document class (i.e. it might be thought of as a static method of the class). Technically, this is true, but practically, we've found it to be simpler and more intuitive to define creation actions (instantiations) for different application objects at the application level. If your application exposes ten classes, it is simpler to define ten "CreateObjectX" rules in the application-level policy rather than to define additional ten class-level authorization policies (along with the ten instance-level policies).

<< Back to FAQ

This site doesn't open new browser windows.