First of all, I am new to DataAbstract. I am working on an web .Net MVC 3 application that deals with reference data and I want to see if DataAbstract would save me time.
What is the best way to secure the datatables and commands from an updatability point of view as well as from viewing angle (i.e. certain users can see only certain data).
I was wondering if this is really the way to do it.
My application is a mixture of role based (the roles are basically mapped one to one to AD groups for now) and ACL like permissions. Essentially in each screen the users can have view/insert/update/delete permissions. Each role aggregates a set of permissions on each page. On top of this, some users can see data that belongs to their organization others can see data that belongs to any organization.
I am not clear how I can implement all this into a schema and how much work I would have to do to implement what I want.
When a request is made to get the data for DataTable can I get my hands on the security context as it was built by the .net web app?
Can you describe the problem more detail? What the main aim do you want to achieve? Can you send us step by step instruction of the problem? Article http://wiki.remobjects.com/wiki/Simplifying_Permissions_(Delphi) can help in security questions, but more information about the problem will help to us to provide more suitable solution.
I don’t have a specific issue. My questions are architectural questions related to the authorization to get and save the data.
How does one restrict the access to specific datatables & commands based on roles? Let’s say I have two roles Manager & Staff in a bank. A manager can see any accounts, while staff can see/update accounts with less than $100,000. How would I implement this in DA?
In the context of a web .net app can I re-use the security context of the .net app to drive the authorization to the DA objects? I might be even out to lunch by thinking to use DA with a web .net app. Any guidance?
How does one restrict the access to specific datatables & commands based on roles? Let’s say I have two roles Manager & Staff in a bank. A manager can see any accounts, while staff can see/update accounts with less than $100,000. How would I implement this in DA?
In this case the best way is to use RemObjects Data Abstract Business Processor (Documentation | RemObjects Software). It allows to create own custom rules for each data table. For example, according to information about role BP can restrict of getting data, add additional parameters to the query, etc. Please take a look at the RemObjects Data Abstract for Delphi sample “Server” (see it at "C:\Users\Public\Documents\RemObjects Samples\Data Abstract for Delphi\Server"). It shows how BP’s can be used, for example (DASampleService_impl.pas file):
procedure TDASampleService.bpBPClientsBeforeProcessChange(
Sender: TDABusinessProcessor; aChangeType: TDAChangeType;
aChange: TDADeltaChange; var ProcessChange: Boolean);
var
discount: double;
begin
ServerForm.LogMessage(#9’Checking business rules for Clients dataset’);
if aChangeType = ctDelete then begin
ServerForm.LogMessage(#9#9’Forbiding to delete the client “’ +
VarToStr(aChange.OldValueByName[‘Name’]) + '”');
raise EDAException.Create(‘Client deletion is forbiden!’);
end;
discount := aChange.NewValueByName[‘Discount’];
if (discount < 0.0) or (discount > 50.0) then begin
ServerForm.LogMessage(#9#9’Forbiding discount out of [0;50] range: ’ +
FloatToStr(discount));
raise EDAException.Create(‘Discount out of range!’);
end;
end;
In the context of a web .net app can I re-use the security context of the .net app to drive the authorization to the DA objects? I might be even out to lunch by thinking to use DA with a web .net app. Any guidance?
This solution is more complex. It is better to use Business Processor - native Data Abstract instrument.
Please contact us via support@ and we will help you to create a simple prototype application with this approach implemented.