Yosi, We have developed a general approach to this problem. Define a request as an abstraction of a particular action within the system.
Associate service oriented calls (ex. TransferMoney(...), or CreateAccount(...)) with requests. Use interception (Remoting Contexts, or HttpModules) on these service oriented calls to then trigger authorization. >From this interception feed the Principal and the arguments to an authorization provider like a rules engine, or specific rules code. Hope this helps, Ed You can read messages from the Advanced DOTNET archive, unsubscribe from Advanced DOTNET, or subscribe to other DevelopMentor lists at http://discuss.develop.com.
