Home/ Questions/Q 8540935
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-11T11:42:39+00:00

I’m looking for existing solution for advanced authorization (not authentication) in .net. Requirements are

  • 0

I’m looking for existing solution for advanced authorization (not authentication) in .net. Requirements are bellow:

  1. Define custom application operation on application entities. Say operation “Update” for “Meeting” entity.
  2. Grant user “User1” to perform operation “Update” only on entity “Meeting” with ID = 1.
  3. When operation “Update” is performed check if current user (“User1”) has access granted to “Meeting” entity with ID = 1.

So I need some existing solution to authorize specific objects for operation. As I know some solutions (AzMan) provide authorization abilities, but only for operations as units (not for concrete objects).

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You can do this with things like the PrincipalPermissionsAttribute. If you’re dealing with Windows authorization and things like AzMan, you can simply create users assign them roles and log them into your application (or use the currently logged in user information). If you want to use custom authentication you have to deal with roles yourself and set the Thread.CurrentPrincipal with something like GenericPincipal. You can then use PrincipalPermissionsAttribute on methods to ensure only principals with specific roles and execute the method. For example:

    [PrincipalPermission(SecurityAction.Demand, Role = @"UserUpdater")]
public void UpdateUserName(string name)
{
//...
}

    If you want to do the authorization yourself, once you’ve authorized a user you can set the principal with something like:

    var identity = new GenericIdentity("Bill");
var roles = new[] { @"UserUpdater" };
var principal = new GenericPrincipal(identity, roles);
Thread.CurrentPrincipal = principal;

    You’ll have to deal with SecurityException when users without that role invoke the method. The assumption is that something else checks the role and simply doesn’t execute that method…

    • 0