Wednesday, January 03, 2007

SQL Authorization Manager

A while back I blogged about AzMan, a tool for managing operation level permissions that's supplied with Windows Server 2003. Recently I've been introduced to (thanks Chris!) a neat extension of the AzMan idea, SQL Authorization Manager (SqlAzMan) that's written by an Italian developer, Andrea Ferendeles. It takes the basic idea of operation level permissions management, but bases it on a SQL Server database rather than Active Directory, which probably makes more sense for most application developers. You can, however, also reference Active Directory users/groups if you want. It's also written entirely in .net 2.0 so you don't have to tackle all that irritating COM stuff like you do with AzMan and like AzMan it's user interface is an mmc snapin. Another neat addition is the time limiting of permissions, so you can allow someone to do an operation only for within a specific period. It comes with a built in RoleProvider, so you can plug it straight into the existing ASP.NET security framework, but to properly leverage the full power of operation level permissions, you can write directly to it's .net API. Here's a little test I wrote to check it out:

using System;
using System.Security.Principal;
using NUnit.Framework;

using NetSqlAzMan;
using NetSqlAzMan.Interfaces;

namespace Ace.Web.Security.SqlAzMan.Test
{
    /// 
    /// This test is a 'spike' to try out the functionality provided by NetSqlAzMan 
    /// see http://sourceforge.net/projects/netsqlazman/
    /// 
    /// To work it requires a NetSqlAzMan database to have been set up with the following properties:
    /// 
    /// Store name:         Test
    /// Application name:   TestApplication
    /// Operation name:     DoSomething
    /// 
    /// The user running the test should be given permission to execute operation 'DoSomething', see
    /// the NetSqlAzMan documentation for details
    /// 
    /// given authorisation to the user executing the test. You will also have to have installed NetSqlAzMan
    /// on the machine being used for testing.
    /// 
    [TestFixture]
    public class SqlAzManSpike
    {
        string _connectionString = "Data Source=(local);Initial Catalog = NetSqlAzManStorage;Integrated Security = SSPI;";
        IAzManStorage _storage;

        [SetUp]
        public void SetUp()
        {
            _storage = new SqlAzManStorage(_connectionString);
        }

        [NUnit.Framework.Test]
        public void CheckPermissionForCurrentUser()
        {
            WindowsIdentity identity = WindowsIdentity.GetCurrent();
            Console.WriteLine("WindowsIdentity = '{0}'", identity.Name);

            // Check if I can do the DoSomething operation
            AuthorizationType authorization = _storage.CheckAccess("Test", "TestApplication", "DoSomething",
                identity, DateTime.Now, true);

            Assert.AreEqual(AuthorizationType.Allow, authorization);
        }

        /// 
        /// This test expects that a SqlAzMan db user exists called 'Domain\user'
        /// 
        [NUnit.Framework.Test]
        public void CheckPermissionForStringUser()
        {
            string username = @"Domain\user";
            IAzManDBUser user = _storage.GetDBUser(username);
            Assert.IsNotNull(user, "user is null");

            Console.WriteLine("Db user = '{0}'", user.UserName);

            // Check if this user can do the DoSomething operation
            AuthorizationType authorization = _storage.CheckAccess("Test", "TestApplication", "DoSomething",
                user, DateTime.Now, true);

            Assert.AreEqual(AuthorizationType.Allow, authorization);
        }
    }
}

It's all very nice. The only complaint I've got is that Andrea hasn't caught all the SQL exceptions and given them more meaningful messages. If you try and check access of an operation that doesn't exist you get a nasty SQL exception rather than a NetSqlAzMan message saying that the given operation doesn't exist.

2 comments:

Anonymous said...

Thanks for sharing this great manager!

Anonymous said...

Thanks for sharing - looks interesting. BTW Microsoft's AzMan can also store use Sql Server as a data store now.