There are generally three types of authorization in enterprise applications:
There is a framework that covers all 3 of these authorization types, Rhino Security. It allows authorization to be abstracted from the business logic as a cross-cutting concern. It is deigned to handle 1 & 2 above, but people have used it to implement 3.
Here is an example of the type of rules it can easily encompass:
A survey has a start date, an end date, can be marked as applicable to a specific population, may be public or private, etc.
The specification says that a survey that the user does not own should only be visible to a user iff:
- The survey is public
- The survey is active
- The survey has started
- The survey has not ended
- The survey is for a population that the user is a member of
The key concept that separates it from standard role based security is the concept of an entity-group. Entity groups are group of, well, entities and users can be granted/denied access to them just like actions.
I would really love to see someone port this concept to the entity framework. It certainly might not be right for every project, but a cohesive strategy for access control would be a big leap forward compared to a lot of projects I’ve worked on.