check out Secure.Data from protegrity (www.protegrity.com)
s.
-----Original Message-----
From: Yosi Taguri [mailto:[EMAIL PROTECTED]]
Sent: Sun 24/11/2002 16:37
To: [EMAIL PROTECTED]
Cc:
Subject: [ADVANCED-DOTNET] Authorization - more than just role based
hi there
I've been given a job to handle the security aspects of big banking
application.
the Application consists of a 3 logical tiers,
1. presentation: asp.net
2. logical: com+ application called thru remoting.
3. data: sql server.
Sometimes the last 2 tiers are on the same computer, but it is designed to
scale.
The requirements demand that the security (or better said: the
authorization) will be on the values of the data itself.
If one person can withdraw an amount of money from one bank account it
doesn't mean he
Can do it to anther account, But still it should use the
Same Business logic for both of the operation.
Role based security is not enough, more over using Imperative decleration
is not sufficient,
Since the role itself doesn't identify the user,
Both users are tellers in 2 different bank offices.
We came into conclusion of the following things:
1. We define roles of users (profiles).
2. Each user has specific data that distinguish it from other users.
3. For every profile/Role we define a set of permissions on
Operations of specific objects.
4. Each permission consists of parameters on specific objects.
5. We have 2 kinds of permissions: Allow Access/ Deny Access.
6. Everything that is not defined as Allow Access is denied.
7. If something is defined as allowed and as denied, it is denied.
8. The deny mechanism is merely to deny access of specific things in
A case where we allowed access to a wide range of data.
For example:
Let’s say we have two bank offices:
1 and 2
Each of them has 100 banking accounts.
2 tellers, 1 from each bank office.
Every teller can update accounts only from the office he belongs to.
Teller number 1 can update accounts 1 thru 50 in office no.2
As I mentioned earlier, each teller comes with info about his default
Office, the permissions describe the security on objects beside his
office...
I've searched MS docs for a proposed solution for data security besides
Role based, but to no avail. It seems that every big application
Needs that kind of security but no one has posted a solution,
The problem is "merely" MATCHING the permission to the data has submitted.
Does u have any recommendations??
I'll be glad to add more info on request,
Thnx,
yosi
You can read messages from the Advanced DOTNET archive, unsubscribe from
Advanced DOTNET, or
subscribe to other DevelopMentor lists at http://discuss.develop.com.
<FONT SIZE=1>**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender immediately and then delete from your system.
This footnote also confirms that this email message has been swept
for the presence of known computer viruses.
**********************************************************************</FONT>
