new ThoughtStream("Derick Bailey"); - All Comments

re: How To? Highly Complex Query Generating Based On Security Needs

Doug Ferguson — Tue, 30 Jun 2009 17:52:12 GMT

You might consider using a collection of specification patterns (Evans).

Given the fact that you need to see the difference between "not-authorized" and "does not exist", you may want to pull the releveant records for a vet even if the Conselor can't have access to the record.

Then, you can run the results through a Specification rule, or a series of them, to determine if the conselor has access to the particular record.

If not data is returned from the query, you know the record does not exist. If a record IS returned, but the combination of the conselor and the vet fail the specification rule, you can return "not-authorized."

Here's a link to a specification implementation using generics. I found it helpful and modified it to accept two objects. You could pass in your conselor and the vet dto's.

devlicio.us/.../the-specification-pattern.aspx

This may or may not work from a performance standpoint depending upon how many records are being returned/evaluated.

re: How To? Highly Complex Query Generating Based On Security Needs

JC Grubbs — Sun, 28 Jun 2009 22:24:15 GMT

What about just building a set of composable methods that expose IQueryable<T> and then building up a query based on the current context's security concerns. As you chain these methods together the query gets more and more limiting. It's not a very "slick" way of doing it but the composability of IQueryable is extremely powerful.

Arjan’s World » LINKBLOG for June 26, 2009

Arjan’s World » LINKBLOG for June 26, 2009 — Fri, 26 Jun 2009 20:17:58 GMT

Pingback from Arjan’s World » LINKBLOG for June 26, 2009

re: How To? Highly Complex Query Generating Based On Security Needs

MIke — Fri, 26 Jun 2009 03:19:23 GMT

I wonder if you can take advantage of NHibernate Filters here and attach a security to the session at runtime to get let NH do the heavy lifting for you.

Might be simpler if this is the only place in your app you have encountered this

re: How To? Highly Complex Query Generating Based On Security Needs

Adam Tybor — Fri, 26 Jun 2009 01:23:28 GMT

+1 to Rhino Security. The really cool part is how it transparently attaches to your domain then applies the necessary nhibernate detached criteria so filtering can happen in the query at the db level. No more client side filtering and applying rules on huge result sets!

re: How To? Highly Complex Query Generating Based On Security Needs

Gilligan — Thu, 25 Jun 2009 21:51:29 GMT

Exactly. Rhino Security Permissions have three "dimensions" : User/User Groups, Operations (which are hierarchal), and optionally Entities/Entity Groups.

This allows us to break any security rule down into a simple "this user/group either can or cannot perform these operations on this entity/entity group". Rhino Security handles the aggregation of permissions (eg a user is a member of a group but also has its own permissions for an operation) automatically.

Trust me once you implement Rhino Security you will never look back and you will wonder how you ever managed with only Asp.Net's role system before.

re: How To? Highly Complex Query Generating Based On Security Needs

derick.bailey — Thu, 25 Jun 2009 21:22:25 GMT

@Gilligan,

so what you're saying is that the permission would be stored in a table, to say "this couselor (id x) can see this veteran (id y)" and then at the time the check needs to be made, it would look at that cached permission list? is that close to what you're saying Rhino.Security does?

that's certainly a different concept than what I was trying to do, but is sparking some interesting thoughts in the back of my head... definately makes me want to look at Rhino Security further.

re: How To? Highly Complex Query Generating Based On Security Needs

Gilligan — Thu, 25 Jun 2009 21:15:03 GMT

We have similar complexity in parts of our system, like only retail members can see these items but everyone can see these other items.

I used Rhino security and put it in a separate bounded context. Rhino security can attach security criteria to any query. It also has the ability to relate permissions to a specific entity. So I created a set of security listeners that represent my security rules. The listeners listen to appropriate events and apply the needed security rules. Example for Rule #4. I would create listeners for the following events: Veteran added to region, veteran removed from region, Counselor added to Regional Office, and Counselor removed from regional office. When any of these events occurs the listener will add/remove the appropriate permissions for the Counselor/Veteran pair. Rhino Security handles everything else.

re: How To? Highly Complex Query Generating Based On Security Needs

derick.bailey — Thu, 25 Jun 2009 21:09:36 GMT

@Tuna,

Thanks. I spent the last 30 minutes trying to read up on it. It seems fairly complex, off-hand, but it certainly looks like it is worth diving into, to see if it can help.

How To? Highly Complex Query Generating Based On Security Needs - Derick Bailey - Los Techies

DotNetShoutout — Thu, 25 Jun 2009 21:00:20 GMT

Thank you for submitting this cool story - Trackback from DotNetShoutout

re: How To? Highly Complex Query Generating Based On Security Needs

Tuna Toksoz — Thu, 25 Jun 2009 20:51:28 GMT

In case you haven't seen Rhino.Security

ayende.com/.../Rhino-Security-Overview-Part-I.aspx

I am not sure if can do exactly what you want, but it is worth looking.

re: A Kanban Is Just A Signal To Do Work

Henrik Mårtensson — Mon, 22 Jun 2009 21:10:59 GMT

You are right that a kanban does not necessarily imply a pull system. A kanban is just a token. However, a kanban system, which is a technical term for a process control system created by Taichi Ohno, is _always_ a pull system.

It is also helpful to know that in a kanban system, there are two types of kanban:

Work-In-Process kanban, i.e. the Post-It notes on your board.

Withdrawal kanban, i.e. the stikki clips on your board

Here is an article about defining kanban: kallokain.blogspot.com/.../defining-kanban.html

The article was picked up by DZone recently.

re: Cloning Or Converting Linux VM From VMWare Workstation To ESX Server: ETH0 Gone. ETH1 Available?

Nick Leverton — Sun, 21 Jun 2009 21:04:21 GMT

This is a product of the last few versions of udev and has bitten me equally on both Debian and Fedora (Fedora perhaps even the more so cos it's hit more machines). Both in the case where you change one interface card and in the case where you change the entire platform, I would think it more useful to enumerate new network cards into the places of those which are no longer present, rather than continuing from eth2, eth3 etc.

Cloning Or Converting Linux VM From VMWare Workstation To ESX Server: ETH0 Gone. ETH1 Available? | Debian-News.net - Your one stop for news about Debian

Sun, 21 Jun 2009 13:50:00 GMT

Pingback from Cloning Or Converting Linux VM From VMWare Workstation To ESX Server: ETH0 Gone. ETH1 Available? | Debian-News.net - Your one stop for news about Debian

re: A Kanban Is Just A Signal To Do Work

jdn — Fri, 19 Jun 2009 20:57:22 GMT

I guess I'm not sure why it is really a concern to call it a kanban board. I think anyone learning the very basics of kanban can easily grasp that a kanban board is a task listing thingy with queues that have numerical limits and cards/post-its/whatever that are the numerals.

It's obviously only the beginning of learning Kanban/Pull/Lean/Whatever, but it is so easy to grasp and it gets at the heart of the matter, I think.