rhino security UI

[Mick Delaney]

Hi,

i know this has been asked before, but has anyone developed a UI for
rhino security. Web or Windows etc. I'm going to start one tommorow
but if someone has started one already i'll gladly contribute.

Regards.

[Ayende Rahien]

Not that has been made public, if you can add that, I would love it!

[Mick Delaney]

i've started working on it now. i'm using the suggestion you made
here: http://rhino-tools-dev.googlegroups.com/attach/0a63df296482c47c/perms.png?view=1&part=4

at the moment i have a treeview (html) built with the hierarchical
operations, when i select an operation it makes a request back for the
permissions on the right hand side.

any tips on what is the best approach for querying the permissions
here?

On Oct 15, 12:23 am, Ayende Rahien <aye...@ayende.com> wrote:
> Not that has been made public, if you can add that, I would love it!
>

[Ayende Rahien]

Not sure that I am following what you mean here.

[Mick Delaney]

Basically I've been scratching the surface of rhino security, just
using groups and operations. i.e. add a user to a group,
and then check if this group has a permission for this operation,
with .OnEverything().DefaultLevel() etc.
I've built an mvc UI screen for that (based on the top half of your
mockup).

But I've not been using Entities/EntityGroups at all, but reading a
previous discussion about this admin UI i've made the assumption that
the botton half of your screen mock up was based on an Entity called
"Big Shipments".

Am i correct??

Just so I understand Rhino Security correctly I've got an example.

A multitenant app for football teams, with an operation called Player/
Add, which adds a player to a team.
Only EXISTING team members with a role of 'Manager' should be able to
do this.

Table Players:
TeamId
PlayerId
PlayerName

Operation => Player/Add
IUser => TeamUser
UserGroup => Manager
Entity=>Team

bool canAddPlayer = authService.IsAllowed<Team>(currentUser,
currenTeam, 'Player/Add').

This will then extract the team id from Team, the id from User, and
check if a permission exists for this user against this team for this
operation, or if the user is part of a group
which has a permission against this team.

To Clarify:

We're denying permission for operation Player/Add for everyone.

Unless:
A: They're in the 'Managers' group (UserGroup)
B: They provide the correct Entity (Team)

For the admin screen then.

Global:
Operations: all operations
Allowed: any permission on this operation where allow is true
Forbidden: any permission on this operation where allow is false

Entity:
Operations: all operations
Allowed: any permission on this operation where allow is true and
EntitySecurityKey = id whatever entity you provide
Forbidden: any permission on this operation where allow is false and
EntitySecurityKey = id whatever entity you provide

[Ayende Rahien]

inline (but basically it is yes to all your quesitons)

On Fri, Oct 16, 2009 at 12:06 PM, Mick Delaney <mickd...@gmail.com> wrote:

Basically I've been scratching the surface of rhino security, just
using groups and operations. i.e. add a user to a group,
and then check if this group has a permission for this operation,
with .OnEverything().DefaultLevel() etc.
I've built an mvc UI screen for that (based on the top half of your
mockup).

But I've not been using Entities/EntityGroups at all, but reading a
previous discussion about this admin UI i've made the assumption that
the botton half of your screen mock up was based on an Entity called
"Big Shipments".

Yes
 

Am i correct??

Just so I understand Rhino Security correctly I've got an example.

A multitenant app for football teams, with an operation called Player/
Add, which adds a player to a team.
Only EXISTING team members with a role of 'Manager' should be able to
do this.

Table Players:
TeamId
PlayerId
PlayerName

Operation => Player/Add
IUser => TeamUser
UserGroup => Manager
Entity=>Team

bool canAddPlayer = authService.IsAllowed<Team>(currentUser,
currenTeam, 'Player/Add').

This will then extract the team id from Team, the id from User,  and
check if  a permission exists for this user against this team for this
operation, or if the user is part of a group
which has a permission against this team.

Yes

[Mick Delaney]

I have another question.

Can I be a 'Manager' for 'Team A', but a 'Player' for 'Team B'.

And if so how would i represent that in RS.

On Oct 16, 11:14 am, Ayende Rahien <aye...@ayende.com> wrote:
> inline (but basically it is yes to all your quesitons)
>

[Ayende Rahien]

You would have two user groups.

Managers - Team A
Players - Team B

Groups (both entities & users) are cheap with RS.

[Mick Delaney]

I'm working on a multitenant app right now (not football teams!), but
the plan is for 1000's of tenants. that would result in 1000's of
UserGroups. (they're cheap though as you said).

I guess an easy may to model my domain is to think of it like a
multitenant shopping site. where u can create a new shop and customer
can buy stuff from the shop.

User Types:
Employee (Owner, Manager, Employee). may me a member of any Shop, but
may be a Manager in 1, and a Employee in another.
Customer, may have orders with many shops, the role is implied, i.e.
if i have orders with Shop A then I'm a Customer of shop A.
System, manages the system, shop has paid they're fees, shut them down
etc.

So i'd need Shop A - Manager, Shop B - Manager.

From an app design point of view on an operation like. Product/Add,
i'd build up the role like, role = CurrentShop.Name + " - " Manager
etc.

Do you think RS is a good fit in that situation?

If i go with a custom solution i'd probably have a UserToUserGroups
table with a EntityId also i guess.

On Oct 16, 11:51 am, Ayende Rahien <aye...@ayende.com> wrote:
> You would have two user groups.
>
> Managers - Team A
> Players - Team B
>
> Groups (both entities & users) are cheap with RS.
>

[Ayende Rahien]

I think it is a good fit, based on what you described, yes.