Net SQL AzMan中的所有设置似乎都是"OR";基于。
例如:
如果将3个(授权的)应用程序组添加到一个操作中,则用户需要在第一个或第二个或第三个应用程序组中才能拥有该操作的权限。
我正在寻找一种方法来说明用户需要在(第一个AND第二个)OR(第一个和第三个)中。
有办法做到这一点吗
原因:
当用户从一个部门移动到另一个部门时,他们的权限会像滚雪球一样越滚越大。我想为每个Active Directory部门设置一个角色(在上面的例子中是"第一个")。如果我能让上面的逻辑发挥作用,那么当用户更改部门时,他们将失去以前部门的权限(即使他们的老板很懒,没有更新AzMan)。
如果我不能在AzMan中实现这一点,那么我可以让我的应用程序来实现。但在AzMan级别会容易得多。
您可以在操作上使用BizRule来完成此操作。它的代码有点过头了,但这应该只需要最少的修改。
using System;
using System.Security.Principal;
using System.IO;
using System.Data;
using System.Collections;
using System.Collections.Specialized;
using System.Collections.Generic;
using System.Text;
using NetSqlAzMan;
using NetSqlAzMan.Interfaces;
using System.Security.Principal;
using System.Reflection;
namespace APPLICATION.BizRules
{
public sealed class BizRule : IAzManBizRule
{
public BizRule()
{ }
public bool Execute(Hashtable contextParameters, IAzManSid identity, IAzManItem ownerItem, ref AuthorizationType authorizationType)
{
string sqlConnectionString = "data source=DATABASE_FQN;initial catalog=DATABASE;Integrated Security=false;User Id=USER_NAME;Password=PASSWORD";
IAzManStorage storage = new SqlAzManStorage(sqlConnectionString);
try
{
bool authorized = false;
if (identity.StringValue.StartsWith("S"))
{
//this is a little over kill but there is no way to reference standard .net libraries in NetSqlAzMan
Assembly asm = Assembly.Load(@"System.DirectoryServices.AccountManagement, Version=3.5.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089");
System.Type userPrincipalType = asm.GetType("System.DirectoryServices.AccountManagement.UserPrincipal");
System.Type principalContextType = asm.GetType("System.DirectoryServices.AccountManagement.PrincipalContext");
System.Type contextTypeType = asm.GetType("System.DirectoryServices.AccountManagement.ContextType");
System.Type identityTypeType = asm.GetType("System.DirectoryServices.AccountManagement.IdentityType");
Object principalContext = Activator.CreateInstance(principalContextType, new object[] { Enum.ToObject(contextTypeType, 1), "DENALLIX" });
MethodInfo methodInfo = userPrincipalType.GetMethod("FindByIdentity", new Type[] { principalContextType, identityTypeType, typeof(string) });
Object userPrincipal = methodInfo.Invoke(null, new object[] { principalContext, Enum.ToObject(identityTypeType, 4), identity.StringValue });
string userPrincipalName = userPrincipal.GetType().GetProperty("UserPrincipalName").GetValue(userPrincipal, null).ToString();
WindowsIdentity user = new WindowsIdentity(userPrincipalName);
authorized = (checkRoleAuthorization(storage, "GROUP1", user) && checkRoleAuthorization(storage, "GROUP2", user)) || checkRoleAuthorization(storage, "GROUP3", user);
}
else
{
AzManUser user = new AzManUser(identity);
authorized = (checkRoleAuthorization(storage, "GROUP1", user) && checkRoleAuthorization(storage, "GROUP2", user)) || checkRoleAuthorization(storage, "GROUP3", user);
}
return authorized;
}
catch (SqlAzManException ex)
{
return false;
}
}
private bool checkRoleAuthorization(IAzManStorage storage, string roleName, object user)
{
AuthorizationType auth = AuthorizationType.Deny;
if (user is WindowsIdentity)
{
auth = storage.CheckAccess("MY STORE", "MY APPLICATION", roleName, (WindowsIdentity)user, DateTime.Now, true);
}
else
{
auth = storage.CheckAccess("MY STORE", "MY APPLICATION", roleName, (IAzManDBUser)user, DateTime.Now, true);
}
return auth == AuthorizationType.Allow || auth == AuthorizationType.AllowWithDelegation;
}
}
public partial class AzManUser : IAzManDBUser
{
private Dictionary<string, object> _customColumns = new Dictionary<string, object>();
private IAzManSid _sid;
private string _username;
public AzManUser(string username, string sid)
{
_username = username;
_sid = new NetSqlAzMan.SqlAzManSID(sid);
}
public AzManUser(string sid)
{
_username = string.Empty;
_sid = new NetSqlAzMan.SqlAzManSID(sid);
}
public AzManUser(IAzManSid sid)
{
_username = string.Empty;
_sid = sid;
}
public Dictionary<string, object> CustomColumns
{
get { return _customColumns; }
}
public IAzManSid CustomSid
{
get
{
return _sid;
}
}
public string UserName
{
get { return _username; }
}
}
}