dynamic tools for .net developers™  LaMarvin Home
home » constable » tutorial » policy definition » code

Constable Authorization Engine Tutorial - Coding the authorization policy

This section illustrates how you can populate the previously defined document approval authorization policy in code.

The code in this section assumes the following namespace imports:
[Visual Basic]
' CLR imports
Imports System
Imports System.Data
Imports System.Diagnostics
Imports System.Security.Principal

' CAZE imports
Imports LaMarvin.Constable
Imports LaMarvin.Constable.Model
Imports LaMarvin.Constable.Principal

[C#]
// CLR imports
using System;
using System.Data;
using System.Diagnostics;
using System.Security.Principal;

// CAZE imports
using LaMarvin.Constable;
using LaMarvin.Constable.Model;
using LaMarvin.Constable.Principal;
The most straightforward approach applications use to populate an authorization policy is to use actual code. This way, the authorization policy is embedded into the application's assembly in the form of executable code statements populating the policy dynamically at runtime. For simpler policies, this approach is very easy to use, but beware that for more complex policies, it can get quite verbose.

Here is the code needed to populate our document approval authorization policy:
[Visual Basic]
Dim docPolicy As New AuthorizationPolicy

' Document approval application roles.
' Using Windows roles for integrated Windows authentication.
docPolicy.Roles.Add( _
  New WindowsRole("Author", "{DOMAIN}\Domain Users"))
docPolicy.Roles.Add( _
  New WindowsRole("Reviewer", "BUILTIN\Administrators"))

' Document states.
docPolicy.States.AddNew("New")
docPolicy.States.AddNew("Authoring")
docPolicy.States.AddNew("Sent")
docPolicy.States.AddNew("Reviewing")
docPolicy.States.AddNew("Accepted")
docPolicy.States.AddNew("Rejected")

' Document actions.
docPolicy.Actions.AddNew("Update")
docPolicy.Actions.AddNew("Send")
docPolicy.Actions.AddNew("Review")
docPolicy.Actions.AddNew("Accept")
docPolicy.Actions.AddNew("Reject")

' Document properties.
docPolicy.Properties.AddNew("Title")
docPolicy.Properties.AddNew("Content")

[C#]
AuthorizationPolicy docPolicy = new AuthorizationPolicy();

// Document approval application roles.
// Using Windows roles for integrated Windows authentication.
docPolicy.Roles.Add(
  new WindowsRole("Author", @"{DOMAIN}\Domain Users"));
docPolicy.Roles.Add(
  new WindowsRole("Reviewer", @"BUILTIN\Administrators"));

// Document states.
docPolicy.States.AddNew("New");
docPolicy.States.AddNew("Authoring");
docPolicy.States.AddNew("Sent");
docPolicy.States.AddNew("Reviewing");
docPolicy.States.AddNew("Accepted");
docPolicy.States.AddNew("Rejected");

// Document actions.
docPolicy.Actions.AddNew("Update");
docPolicy.Actions.AddNew("Send");
docPolicy.Actions.AddNew("Review");
docPolicy.Actions.AddNew("Accept");
docPolicy.Actions.AddNew("Reject");

// Document properties.
docPolicy.Properties.AddNew("Title");
docPolicy.Properties.AddNew("Content");

We've created an instance of the AuthorizationPolicy class and populated the instance with roles, states, actions and properties of our policy. Please note that we've used WindowsRoles in order use Windows integrated authentication (more on that later):

Note: In order to maintain simplicity of the sample code, we've been using the most compact overloads of the various methods available. The CAZE API exposes many overloaded methods for increased flexibility (and complexity, that is). Please, check the online API reference for details.

Now we're ready to code the authorization rules.

First, we'll define action authorization rules for the Author role. The AddNew method used here to add the rules uses the pattern AddNew(<ActionID>, <RoleID>, <StateID>, <TargetStateID>):
[Visual Basic]
' Enable Update executed by Author transitioning the document 
' from New to Authoring state.
docPolicy.ActionRules.AddNew("Update", "Author", "New", "Authoring")

' Update can also be executed by Author in the Authoring state 
' without causing state transition.
docPolicy.ActionRules.AddNew("Update", "Author", "Authoring", "Authoring")

' Send can be executed by Author and it transitions the document 
' from Authoring to Sent state.
docPolicy.ActionRules.AddNew("Send", "Author", "Authoring", "Sent")

[C#]
// Enable Update executed by Author transitioning the document 
// from New to Authoring state.
docPolicy.ActionRules.AddNew("Update", "Author", "New", "Authoring");

// Update can also be executed by Author in the Authoring state 
// without causing state transition.
docPolicy.ActionRules.AddNew("Update", "Author", "Authoring", "Authoring");

// Send can be executed by Author and it transitions the document 
// from Authoring to Sent state.
docPolicy.ActionRules.AddNew("Send", "Author", "Authoring", "Sent");

You can think of the AddNew method as it is creating new vertical lines in a FSM diagram of the policy.

Now let's define action authorization rules for the Reviewer role:
[Visual Basic]
' Review can be executed by Reviewer and it transitions the document 
' from Sent to Reviewing state.
docPolicy.ActionRules.AddNew("Review", "Reviewer", "Sent", "Reviewing")

' Accept can be executed by Reviewer and it transitions the document 
' from Reviewing to Accepted state.
docPolicy.ActionRules.AddNew("Accept", "Reviewer", "Reviewing", "Accepted")

' Reject can be executed by Reviewer and it transitions the document 
' from Reviewing to Rejected state.
docPolicy.ActionRules.AddNew("Reject", "Reviewer", "Reviewing", "Rejected")


[C#]
// Review can be executed by Reviewer and it transitions the document 
// from Sent to Reviewing state.
docPolicy.ActionRules.AddNew("Review", "Reviewer", "Sent", "Reviewing");

// Accept can be executed by Reviewer and it transitions the document 
// from Reviewing to Accepted state.
docPolicy.ActionRules.AddNew("Accept", "Reviewer", "Reviewing", "Accepted");

// Reject can be executed by Reviewer and it transitions the document 
// from Reviewing to Rejected state.
docPolicy.ActionRules.AddNew("Reject", "Reviewer", "Reviewing", "Rejected");

If your application doesn't need to control access to business object's properties, the policy would be now complete.

In our document approval application, we do want to control access to document properties, so we'll add a few property authorization rules. The AddNew method being used to add the rules uses the pattern AddNew(<PropertyID>, <RoleID>, <StateID>):
[Visual Basic]
docPolicy.PropertyRules.AddNew("Title", "Author", "New")
docPolicy.PropertyRules.AddNew("Content", "Author", "New")
docPolicy.PropertyRules.AddNew("Title", "Author", "Authoring")
docPolicy.PropertyRules.AddNew("Content", "Author", "Authoring")

[C#]
docPolicy.PropertyRules.AddNew("Title", "Author", "New");
docPolicy.PropertyRules.AddNew("Content", "Author", "New");
docPolicy.PropertyRules.AddNew("Title", "Author", "Authoring");
docPolicy.PropertyRules.AddNew("Content", "Author", "Authoring");
For simplicity, we've defined property authorization rules only for the Author role when the document is in the New and Authoring states. Users in the Reviewer role cannot modify any properties.

Note: The CAZE policy doesn't enforce property authorization rules in any way; it must be done by the application (or the business object in question).

The authorization policy is now complete and we're ready to start integrating it into the rest of the application code.

© 2002-2007 LaMarvin. All Rights Reserved.     [Terms of use]     [Privacy] This site doesn't open new browser windows.