News, examples, tips, ideas and plans.
Thoughts around ORM, .NET and SQL databases.

Friday, February 25, 2011

On security system, part 1

This is an introductory post to the security system design and implementation in DataObjects.Net. Here we'd wanted to define common terms, considerations and requirements to the upcoming security system.

Bits of theory

Almost any access control model can be stated formally using the notions of users (subjects), objects, operations, and permissions, and the relationships between these entities.
  • The term user refers to people who interface with the computer system directly or not and on behalf of whom some actions are being taken by a computer program or a process.
  • An object in terms of classic OR/M can be any entity or a group of entities accessible within the mapped database(s).
  • An operation is a standalone action invoked by the user on the objects.
  • Permissions (or privileges) are authorizations to perform some action on
    the objects. The term permission refers to some combination of object and operation.
The role-based access control model (RBAC) adds one more fundamental term to the list — a role. A role is essentially a collection of permissions. Within an organization, roles are relatively stable, while users and permissions are both numerous and may change rapidly. Controlling all access through roles simplifies the management and review of access controls, therefore we'd prefer to follow role-based security model where users receive permissions only through the roles to which they are assigned.




Another advantage of the role-based access control model is the fact that roles are initially hierarchical — roles can inherit permissions from other roles. As a result, appropriate role hierarchies can be flexibly defined for any business process workflow, for example:



As a conclusion: although any access control system has its own advantages and limitations, we've chosen the RBAC one as a base for access control model in DataObjects.Net because of its flexibility and efficiency in the most usage scenarios.

Requirements and other considerations

First of all, we don't want to reinvent the wheel (again). If any core part of the standard .NET security system can be consumed, then it should be consumed. Mainly, I imply core interfaces such as IPrincipal, IIdentity, etc. This might help to use Thread.CurrentThread.Principal property in the same way as we use Thread.CurrentThread.CurrentCulture in localization extension, as well as more tightly integrate with system authentication services.

Other considerations:
  • Security-related data mustn't be stored in serialized way in blob fields or something. It must be accessible via plain SQL.
  • If this is possible, security system should be implemented as as extension (separate assembly) to the core framework.
  • Security policy shouldn't be automatically applied to all persistent types. Only selectively chosen and configured persistent types should be subject for security system. This could be done with the help of special interface marker, attribute usage or similar.
  • Authentication part should be extensible with custom types of authentication services (LDAP, WebServices, etc.).
  • LINQ queries should be transparently re-written by security system to apply effective permissions.
  • ASP.NET membership provider should be implemented as well.

This list doesn't pretend to be complete. Something might got out from our sight. If so, please don't hesitate to post a comment.

In the next posts of the series I'll try describing several aspects of the system in more detailed manner.

25 comments:

  1. I have read lots of research papers on a topic of data security and have to say that no one has invented universal protection system for cloud repositories. I also know that today secure data room services seem to be the most reliable.

    ReplyDelete
  2. Good artcile, but it would be better if in future you can share more about this subject. Keep posting. click here to visit the website

    ReplyDelete
  3. Thanks for sharing this quality information with us. I really enjoyed reading. Will surely going to share this URL with my friends.
    Declawing Cats

    ReplyDelete
  4. I really like your take on the issue. I now have a clear idea on what this matter is all about..
    r-d1

    ReplyDelete
  5. You completed a few fine points there. I did a search on the subject and found nearly all persons will go along with with your blog.
    occupational health services definition

    ReplyDelete
  6. If more people that write articles really concerned themselves with writing great content like you, more readers would be interested in their writings. Thank you for caring about your content.
    Property Sales Marbella

    ReplyDelete
  7. I think this is a really good article. You make this information interesting and engaging. You give readers a lot to think about and I appreciate that kind of writing.
    life size batman

    ReplyDelete
  8. I can see that you are an expert at your field! I am launching a website soon, and your information will be very useful for me.. Thanks for all your help and wishing you all the success in your business.
    how does pet insurance work

    ReplyDelete
  9. I’ve been searching for some decent stuff on the subject and haven't had any luck up until this point, You just got a new biggest fan!..
    redesign4more

    ReplyDelete
  10. This is a good post. This post gives truly quality information. I’m definitely going to look into it. Really very useful tips are provided here. Thank you so much. Keep up the good worksbuy essay online

    ReplyDelete
  11. Positive site, where did u come up with the information on this posting?I have read a few of the articles on your website now, and I really like your style. Thanks a million and please keep up the effective work. AlarmSystem.tips

    ReplyDelete
  12. Thanks for a very interesting blog. What else may I get that kind of info written in such a perfect approach? I’ve a undertaking that I am simply now operating on, and I have been at the look out for such info. AlarmSystem.tips

    ReplyDelete
  13. This is an incredibly informational article. I likewise concur with your post title and you really well light up your perspective. I am phenomenally perky to see this post. A commitment of gratefulness is with the objective for giving to us. Keep it up and share the all the more most related post. Click on for more information.

    ReplyDelete
  14. The specialists of Singapore Assignment Helpdeliver case studies assignment help services to the students who are not able to submit their assignment without missing the deadline.

    ReplyDelete
  15. This comment has been removed by the author.

    ReplyDelete
  16. You have done a great job. I will definitely dig it and personally recommend to my friends. I am confident they will be benefited from this site..
    Cheap Assignment Help

    ReplyDelete
  17. Thanks for taking the time to discuss this, I feel strongly about it and love learning more on this topic. If possible, as you gain expertise, would you mind updating your blog with extra information? It is extremely helpful for me. IT security services in Toronto

    ReplyDelete
  18. Are you detecting for best assignment help ireland so, place your assignment order on "IrelandAssignmentHelp.com" and get faultless assignment from our best qualified writing experts at fair cost.

    ReplyDelete
  19. Wow, fantastic blog layout! How long have you been blogging for?
    you made blogging look easy. The overall look of your website is magnificent, as well as the content! i am also Seo expert and provide services in
    best assignment help.

    ReplyDelete
  20. Students Assignment Help is most famous homework help service supplier around the world. Students have blind faith on our writing expert. Avail assignment writing help at reasonable price?

    ReplyDelete
  21. Thank You for providing the useful and important information, the writing sequence is so preety. Recently i am reading Mercury Retrograde 2017 Topic. this is very interesting and valuable. if you wants more information as
    Hindu Calendar, Choghadiya and Rahu Kalam, please check mpanchang.com

    ReplyDelete
  22. If you suspect any suspicious activity or if a crime occurs, you can always review the tapes. Another system you could use to deter theft is the tag and alarm system, which is formally known as electronic article surveillance (EAS).guarantor loans

    ReplyDelete
  23. Great post keep on sharing new things but if a student need homework help services then visit Myassignmenthelp services and get the best homework help writing services

    ReplyDelete