Net SQL AzMan中的所有设置似乎都是基于“OR”的。
例如:
如果您将3(授权)应用程序组添加到操作中,则用户需要位于第一个或第二个或第三个应用程序组中以获得操作权限。
我正在寻找一种方式来说明用户需要(第一个和第二个)或(第一个和第三个)。
有办法吗?
原因原因:
当用户从一个部门移动到另一个部门时,我们会为用户提供滚雪球权我想为每个Active Directory部门设置一个角色(在上面的示例中为“第一个”)。如果我能够使上述逻辑工作,那么当用户更换部门时,他们将失去以前部门的权限(即使他们的老板很懒,也没有让AzMan更新)。
如果我无法在AzMan中使用,那么我可以让我的应用程序执行此操作。但是在AzMan级别会更容易。
答案 0 :(得分:2)
您可以在操作上使用BizRule执行此操作。它的代码有点矫枉过正,但这应该只需要很少的修改。
using System;
using System.Security.Principal;
using System.IO;
using System.Data;
using System.Collections;
using System.Collections.Specialized;
using System.Collections.Generic;
using System.Text;
using NetSqlAzMan;
using NetSqlAzMan.Interfaces;
using System.Security.Principal;
using System.Reflection;
namespace APPLICATION.BizRules
{
public sealed class BizRule : IAzManBizRule
{
public BizRule()
{ }
public bool Execute(Hashtable contextParameters, IAzManSid identity, IAzManItem ownerItem, ref AuthorizationType authorizationType)
{
string sqlConnectionString = "data source=DATABASE_FQN;initial catalog=DATABASE;Integrated Security=false;User Id=USER_NAME;Password=PASSWORD";
IAzManStorage storage = new SqlAzManStorage(sqlConnectionString);
try
{
bool authorized = false;
if (identity.StringValue.StartsWith("S"))
{
//this is a little over kill but there is no way to reference standard .net libraries in NetSqlAzMan
Assembly asm = Assembly.Load(@"System.DirectoryServices.AccountManagement, Version=3.5.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089");
System.Type userPrincipalType = asm.GetType("System.DirectoryServices.AccountManagement.UserPrincipal");
System.Type principalContextType = asm.GetType("System.DirectoryServices.AccountManagement.PrincipalContext");
System.Type contextTypeType = asm.GetType("System.DirectoryServices.AccountManagement.ContextType");
System.Type identityTypeType = asm.GetType("System.DirectoryServices.AccountManagement.IdentityType");
Object principalContext = Activator.CreateInstance(principalContextType, new object[] { Enum.ToObject(contextTypeType, 1), "DENALLIX" });
MethodInfo methodInfo = userPrincipalType.GetMethod("FindByIdentity", new Type[] { principalContextType, identityTypeType, typeof(string) });
Object userPrincipal = methodInfo.Invoke(null, new object[] { principalContext, Enum.ToObject(identityTypeType, 4), identity.StringValue });
string userPrincipalName = userPrincipal.GetType().GetProperty("UserPrincipalName").GetValue(userPrincipal, null).ToString();
WindowsIdentity user = new WindowsIdentity(userPrincipalName);
authorized = (checkRoleAuthorization(storage, "GROUP1", user) && checkRoleAuthorization(storage, "GROUP2", user)) || checkRoleAuthorization(storage, "GROUP3", user);
}
else
{
AzManUser user = new AzManUser(identity);
authorized = (checkRoleAuthorization(storage, "GROUP1", user) && checkRoleAuthorization(storage, "GROUP2", user)) || checkRoleAuthorization(storage, "GROUP3", user);
}
return authorized;
}
catch (SqlAzManException ex)
{
return false;
}
}
private bool checkRoleAuthorization(IAzManStorage storage, string roleName, object user)
{
AuthorizationType auth = AuthorizationType.Deny;
if (user is WindowsIdentity)
{
auth = storage.CheckAccess("MY STORE", "MY APPLICATION", roleName, (WindowsIdentity)user, DateTime.Now, true);
}
else
{
auth = storage.CheckAccess("MY STORE", "MY APPLICATION", roleName, (IAzManDBUser)user, DateTime.Now, true);
}
return auth == AuthorizationType.Allow || auth == AuthorizationType.AllowWithDelegation;
}
}
public partial class AzManUser : IAzManDBUser
{
private Dictionary<string, object> _customColumns = new Dictionary<string, object>();
private IAzManSid _sid;
private string _username;
public AzManUser(string username, string sid)
{
_username = username;
_sid = new NetSqlAzMan.SqlAzManSID(sid);
}
public AzManUser(string sid)
{
_username = string.Empty;
_sid = new NetSqlAzMan.SqlAzManSID(sid);
}
public AzManUser(IAzManSid sid)
{
_username = string.Empty;
_sid = sid;
}
public Dictionary<string, object> CustomColumns
{
get { return _customColumns; }
}
public IAzManSid CustomSid
{
get
{
return _sid;
}
}
public string UserName
{
get { return _username; }
}
}
}