Coronavirus News

Stay up-to-date with the latest news about the Coronavirus with tools and data in my Collection: Coronavirus Critical Links.

Microsoft Identity Claims: Isolating Enumerations, Part 2

We need a way to manage our permissions, but first, we need to restrict certain enumerated types. In today's part two, we create a custom attribute to include certain permissions.

Written by Jonathan "JD" Danylko • Last Updated: • Develop •

Ship stranded on sand

Microsoft Identity: Granular Authorizations Series

  1. Microsoft Identity Claims: Granular Authorizations, Part 1
  2. Microsoft Identity Claims: Isolating Enumerations, Part 2 (this post)
  3. Microsoft Identity Claims: Building the UI, Part 3

In part one of this series on using Microsoft Identity Claims, we examined a simple way to implement granular permissions attached to entities. This gives administrators an easy way for users to perform certain tasks on entities across your application.

In today's part two, we'll continue with this approach and look at creating a way to isolate and associate PermissionEnum types with Permission entities to assist in building a UI for managing user permissions.

Overview

One of our goals in this series is to provide a flexible way to add security hooks and providing a flexible UI so administrators can give permission to certain users in the app.

If we examine our PermissionEnums again, you'll see not all enum types pertain to every entity.

[Flags]
public enum PermissionEnum
{
    Create = 1,
    Retrieve = 2,
    Update = 4,
    Delete = 8,
    Upload = 16,
    SendEmail = 32
}

For example, if we had a User entity, there wouldn't be a need to perform an Upload on a User so we wouldn't need that Upload permission. It doesn't make sense to attach a permission to a permission entity we won't use.

So we need a way to include a list of PermissionEnums from a permission entity.

As we mentioned in the last post, our PermissionEnum is not really a enumerated type, but a class in disguise. The easiest way to attach a PermissionEnum to a permission entity is to use attributes.

Enter the IncludePermission Attribute

Our simple custom attribute class creates a list of PermissionEnums related to a permission entity.

[AttributeUsage(AttributeTargets.Field)]
public class IncludePermissionAttribute : Attribute
{
    public readonly PermissionEnum[] IncludedPermissions;

   public IncludePermissionAttribute(params PermissionEnum[] includedPermissions)
    {
        IncludedPermissions = includedPermissions;
    }
}

As you can see in the constructor, we can pass in any number of PermissionEnums and we save it to an array to includedPermissions. This gives us a way to list the PermissionEnums associated with a permission entity. 

Now we can attach our IncludePermissionAttribute to our permission entities like the following example below.

public class Permission : Enumeration
{
    [IncludePermission(PermissionEnum.Create, PermissionEnum.Update, 
        PermissionEnum.View, PermissionEnum.Delete)]
    public static readonly Permission Project = new Permission(1, "Project");

   [IncludePermission(PermissionEnum.Upload)]
    public static readonly Permission Attachment = new Permission(2, "Attachment");

   protected Permission(int id, string groupName) : base(id, groupName) { }
}

The Permission entities each have a list of valid PermissionEnum related to each entity. Any user in the system can perform CRUD operations and users are allowed (or not allowed to) upload attachments. 

Conclusion

In today's post, we created a custom attribute and attached it to our Permission entities and describing what each entity can do throughout the system.

This sets us up for success and will make our life easier when we build our UI for administrators.

In Part 3, we'll finish up the series by taking everything we built and create our UI from it.

Have you created your own custom attributes? Extended Microsoft Identity using Claims? Post your comments and let's discuss.

Did you like this content? Show your support by buying me a coffee.

Buy me a coffee  Buy me a coffee
Picture of Jonathan "JD" Danylko

Jonathan Danylko is a web architect and entrepreneur who's been programming for over 25 years. He's developed websites for small, medium, and Fortune 500 companies since 1996.

He currently works at Insight Enterprises as a Principal Software Engineer.

When asked what he likes to do in his spare time, he replies, "I like to write and I like to code. I also like to write about code."

comments powered by Disqus