RhinoSecurity documentation?

[Beto]

Hi Ayende,

Have you thought about developing some documentation/book for
RhinoSecurity with book examples and the correct way of implementing
RhinoSecurity in an enterprise application? Many of the examples that
I have learned from have come from scattered blogs and I still don’t
think I know enough or the full potential of RhinoSecurity. I would
defenetly pay for something like this.

[Ayende Rahien]

Beto,

That is certainly an interesting suggestion. :-)

How about suggesting a TOC?

--
You received this message because you are subscribed to the Google Groups "Rhino Tools Dev" group.
To post to this group, send email to rhino-t...@googlegroups.com.
To unsubscribe from this group, send email to rhino-tools-d...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rhino-tools-dev?hl=en.

[Beto]

Here is what I came up with:
Table of Contents
I. What is RhinoSecurity
a. Dependencies
II. The Security Model explained
a. Users/Groups/Operations…
b. EntityTypes/EntityGroups/EntityReferences…
c. The API explained
III. Implementation Example
a. The use case
b. Implementation with Asp.Net MVC
i. Integration with:
1. Nhibernate
2. Windsor
3. RhinoTools
c. Extending RhinoSecurity

May I suggest for the example something like a geopolitical use case?
Where combination of political and geographic factors relate to
security.

On Jan 27, 10:57 am, Ayende Rahien <aye...@ayende.com> wrote:
> Beto,
> That is certainly an interesting suggestion. :-)
>
> How about suggesting a TOC?
>
>
>
> On Wed, Jan 27, 2010 at 8:56 PM, Beto <humbertofra...@gmail.com> wrote:
> > Hi Ayende,
>
> > Have you thought about developing some documentation/book for
> > RhinoSecurity with book examples and the correct way of implementing
> > RhinoSecurity in an enterprise application?  Many of the examples that
> > I have learned from have come from scattered blogs and I still don’t
> > think I know enough or the full potential of RhinoSecurity.  I would
> > defenetly pay for something like this.
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Rhino Tools Dev" group.
> > To post to this group, send email to rhino-t...@googlegroups.com.
> > To unsubscribe from this group, send email to

> > rhino-tools-d...@googlegroups.com<rhino-tools-dev%2Bunsubscribe@ googlegroups.com>

[Ayende Rahien]

Can you write up the example scenario?

To unsubscribe from this group, send email to rhino-tools-d...@googlegroups.com.

[LOBOMINATOR]

Hello Ayende

 

I would pay for that too!

 

Daniel

[Beto]

How about a school system since it’s both political and geographical.
Let me explain:

An educational system is divided into States > Counties > Districts >
Schools. In each level there exist user roles such that a user who
has a “District Administrator Role” is able to edit any School
information that belongs to the district he manages only, and gets a
denied access if he tries modifying a school that is outside the
District that he manages.

Subsequently if a user has a “County Admin Role” he is able to edit
the information at a County (only his own), Districts (that belong to
the County that he manages) and Schools (all the schools in the County
that he manages).

So your access to edit information depends on the role that you are
assign and also the location that you were assign.

Let me know if you have any questions.

[mynkow]

+1 for RhinoSecurity book. IMO console application is enough.

[Dan]

These are good suggestions and I like this use case, but I would like
to add the idea of a particular user having multiple roles in the
system over multiple entities. For example the user who has a
"District Administrator Role" over a particular district could also
have "Parent of Student" role in a school that belongs to a different
district. This role could then give the user some rights to view (but
not edit) that school's information.

Dan

[Ayende Rahien]

Guys,

Sorry, I don't think that I can do it.

What I can do however, is provide assistance to anyone who would be willing to take this

To unsubscribe from this group, send email to rhino-tools-d...@googlegroups.com.

[Beto]

I can go ahead and take the lead on this since I started the
discussion. I got two questions though:
1.Where should I post the documentation? Would this work:
http://www.ayende.com/Wiki/MainPage.ashx. Or do you have another
suggestion.
2.I’m already thinking of some permission design questions that I
would like to ask, should I post them to this group (if so in this
same post?) or should I email you and then post the wiki article with
an explanation?
I will start on the project and post it to google code once I have
enough code to be a useful example.

[Ayende Rahien]

I think http://hibernatingrhinos.com/open-source/rhino-security would be a better place.

You can edit it with Live Writer, which is much easier. 

I will give you and anyone else who wants to contribute a login there.

And you can post the question here, yes.

To unsubscribe from this group, send email to rhino-tools-d...@googlegroups.com.

[Beto]

For the example scenario above there exist a hierarchy for the
organizations (States > Counties > Districts > Schools), such that if
you are assigning a State Administrator role you would have access to
modify all schools data that belong to this state. In the
EntityReferencesToEntityGroups from my understanding there only exists
one level of grouping which is from EntityReferences to Entitygroups.
In the example above EntityReferences could be the Schools themselves
and EntityGroups could be the Districts.

So for a District Admin Role I would be able to assign an
EntityGroup(a district) on the User, but what happens let’s just say
when there exist 1000’s of EntityGroups(Districts) and you would want
to assign an County Admin Role for Orange County, how would you go
about picking the EntityGroups that belong only to Orange County,
since there is no grouping from entity groups to entity groups(such
that you can model County to Districts)? What I could do is traverse
the organizationHiearchy table and get all SecurityKeys that that are
type school and belong to orange county and compare to the entity
references table (assuming there has been an entity reference created
for each school) and do a for loop to assign the user all schools that
belong to Orange County, but this to me sounds like I would be hitting
the permissions table pretty hard. Do you have any suggestions for a
more elegant solution?

On Mar 1, 12:22 am, Ayende Rahien <aye...@ayende.com> wrote:
> I thinkhttp://hibernatingrhinos.com/open-source/rhino-securitywould be a
> better place.
> You can edit it with Live Writer, which is *much* easier.

[Ayende Rahien]

Beto,

I never considered the case of hierarchical entity groups.

It might be a nice feature.

You can probably use the same template as the UsersGroup for the patch

To unsubscribe from this group, send email to rhino-tools-d...@googlegroups.com.

[Beto]

Alright I will give it my best shot.

On Mar 1, 11:21 am, Ayende Rahien <aye...@ayende.com> wrote:
> Beto,

> > > I thinkhttp://hibernatingrhinos.com/open-source/rhino-securitywouldbe a

> ...
>
> read more »

[Beto]

Hi Ayende
I have modified the EntityGroup class and mapping to reflect the
current diagram: http://i298.photobucket.com/albums/mm258/franco98g/RS_DB_Diagram.jpg

Any suggestions?

My guess is that I will have to create a new function similar to
“CreateChildUserGroupOf” maybe “CreateChildEntityGroupOf” along with
one other function such as GetAncestryAssociation(entity,
entityGroupName).

And will have to update the following functions:

GetPermissionsFor<TEntity>(IUser user, TEntity entity)
GetPermissionsFor<TEntity>(IUser user, TEntity entity, string
operationName)
GetPermissionsFor<TEntity>(TEntity entity)

Is that correct and am I missing any?

Do you have any other suggestions?

> > > > > 1.Where should I post thedocumentation? Would this work:

> ...
>
> read more »

[Ayende Rahien]

Looks good

To unsubscribe from this group, send email to rhino-tools-d...@googlegroups.com.

[Beto]

Glad to see the Entity Hierarchy groups patch made it to the RS trunk.

> ...
>
> read more »