Re: Question about Authorization Manager

Nicole Calinoiu wrote:
If you were working more closely against the AzMan API (as opposed to via a wrapper like the security app block), you would realize that there is only one way of querying a user's rights to perform an action, and that is at the _operation_ level (via the IAzClientContext:AccessCheck method). Tasks and roles are essentially just convenience "buckets" meant to help when assigning permissions to users. However, an application should be interested only in operations. Since you have only one operation, at the underlying AzMan level, its the only securable for which your application can request access permissions.

Even with access checks being done only at the operation level, if I check access on a task which is comprised only of 2 tasks, each of which have operations, the security access application block WILL throw an exception.. that is related to the code I had posted.

I am going to trace the block more, to see if it is simply a failure to crawl the task->operation associations before throwing the error.


This seems rather unlikely to be causing your problem, which is presumably occuring because an access check that you believe should fail is actually passing. This wouldn't be happening if an exception were thrown from the access check method. Instead of trying to troubleshoot this blindly, could you perhaps post the code you are using to attempt your access check?


I will post back on this, the issue I first posted was a completely different problem. I tried to provide a breakdown of the task / operation structure, the point is that by being granted rights to 1 operation which is essentially 1 of 2 that define a task, and not being granted rights to the other operation which is wrapped by the associated task, the call the check access still returns true.

Thanks for the answer, I will provide more concrete information. I had hoped not to have to use the AzMan COM API directly but I may have to in order to decide if/where the security block is not correct.
.

Relevant Pages

  • Re: Secure shared web hosting using MAC Framework
    ... run the web server and web users shell in a jail, ... Those rights should have priority on any traditional unix file ... This directive allows you to disable certain functions for security reasons. ... Web users and executed web scripts shouldn't be able to read ...
    (FreeBSD-Security)
  • Orwell meets Kafka
    ... THE OTHER DAY, the new secretary of homeland security, Michael Chertoff, scrapped the moronic rule requiring everyone to stay seated for 30 minutes coming in or out of Ronald Reagan Washington National Airport. ... If the American republic was built on any core principle, that principle is the rights of people to be free from the abuses of unchecked power. ...
    (soc.culture.australian)
  • RE: Rights
    ... the benefit is improved security. ... in restricting rights in favor of increased security. ... EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... The NSA has designated Norwich University a center of Academic ...
    (Security-Basics)
  • Re: customizing menus on team site template
    ... You would specify for each doc lib who can access that doc lib and would ... suppose they simply ran out of time to re-write this security section too. ... >> suitable rights. ... >> Mike Walsh, Helsinki, Finland ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: Mailboxes instead of new users
    ... You are always welcomed to call PSS and open a Exchange security related ... Open the properties of the mailbox store in the Exchange System Manager, ... This posting is provided "AS IS" with no warranties, and confers no rights. ... > security group for the distribution group and give her "send as" rights. ...
    (microsoft.public.windows.server.sbs)