Microsoft Identity Claims: Isolating Enumerations, Part 2
We need a way to manage our permissions, but first, we need to restrict certain enumerated types. In today's part two, we create a custom attribute to include certain permissions.
Microsoft Identity: Granular Authorizations Series
- Microsoft Identity Claims: Granular Authorizations, Part 1
- Microsoft Identity Claims: Isolating Enumerations, Part 2 (this post)
- Microsoft Identity Claims: Building the UI, Part 3
In part one of this series on using Microsoft Identity Claims, we examined a simple way to implement granular permissions attached to entities. This gives administrators an easy way for users to perform certain tasks on entities across your application.
In today's part two, we'll continue with this approach and look at creating a way to isolate and associate PermissionEnum types with Permission entities to assist in building a UI for managing user permissions.
Overview
One of our goals in this series is to provide a flexible way to add security hooks and providing a flexible UI so administrators can give permission to certain users in the app.
If we examine our PermissionEnums again, you'll see not all enum types pertain to every entity.
[Flags]
public enum PermissionEnum
{
Create = 1,
Retrieve = 2,
Update = 4,
Delete = 8,
Upload = 16,
SendEmail = 32
}
For example, if we had a User entity, there wouldn't be a need to perform an Upload on a User so we wouldn't need that Upload permission. It doesn't make sense to attach a permission to a permission entity we won't use.
So we need a way to include a list of PermissionEnums from a permission entity.
As we mentioned in the last post, our PermissionEnum is not really a enumerated type, but a class in disguise. The easiest way to attach a PermissionEnum to a permission entity is to use attributes.
Enter the IncludePermission Attribute
Our simple custom attribute class creates a list of PermissionEnums related to a permission entity.
[AttributeUsage(AttributeTargets.Field)]
public class IncludePermissionAttribute : Attribute
{
public readonly PermissionEnum[] IncludedPermissions;
public IncludePermissionAttribute(params PermissionEnum[] includedPermissions)
{
IncludedPermissions = includedPermissions;
}
}
As you can see in the constructor, we can pass in any number of PermissionEnums and we save it to an array to includedPermissions. This gives us a way to list the PermissionEnums associated with a permission entity.
Now we can attach our IncludePermissionAttribute to our permission entities like the following example below.
public class Permission : Enumeration
{
[IncludePermission(PermissionEnum.Create, PermissionEnum.Update,
PermissionEnum.View, PermissionEnum.Delete)]
public static readonly Permission Project = new Permission(1, "Project");
[IncludePermission(PermissionEnum.Upload)]
public static readonly Permission Attachment = new Permission(2, "Attachment");
protected Permission(int id, string groupName) : base(id, groupName) { }
}
The Permission entities each have a list of valid PermissionEnum related to each entity. Any user in the system can perform CRUD operations and users are allowed (or not allowed to) upload attachments.
Conclusion
In today's post, we created a custom attribute and attached it to our Permission entities and describing what each entity can do throughout the system.
This sets us up for success and will make our life easier when we build our UI for administrators.
In Part 3, we'll finish up the series by taking everything we built and create our UI from it.
Have you created your own custom attributes? Extended Microsoft Identity using Claims? Post your comments and let's discuss.
