The security system in LoBDb.NET is based on users, roles and units. A unit is a user group that defines the scope of security permissions. For instance, permissions can be granted on all rows, only on user rows, on user unit rows, on user unit and its child units rows etc.
The following example shows how to configure security settings so that managers from two different units can see treaties only from their units but their boss can view all treaties.

            // Deleting the old schema
            domain.DeleteAll();

            // Creating four users
            var firstManager = domain.AddUser("first_manager", "P@ssw0rd");
            var secondManager = domain.AddUser("second_manager", "P@ssw0rd");
            var thirdManager = domain.AddUser("third_manager", "P@ssw0rd");
            var boss = domain.AddUser("boss", "P@ssw0rd");

            // Creating the roles
            var managerRole = domain.AddRole("manager");
            var directorRole = domain.AddRole("director");

            managerRole.AddUser(firstManager);
            managerRole.AddUser(secondManager);
            managerRole.AddUser(thirdManager);

            directorRole.AddUser(boss);

            // Building the unit hierarchy
            var topUnit = domain.AddUnit();
            topUnit.AddUser(boss);

            var firstChildUnit = domain.AddUnit();
            firstChildUnit.AddParent(topUnit);

            // The first and the second managers are from the first unit
            firstChildUnit.AddUser(firstManager);
            firstChildUnit.AddUser(secondManager);

            // And the third manager is from the second unit
            var secondChildUnit = domain.AddUnit();
            secondChildUnit.AddUser(thirdManager);

            // Creating a table
            var treatyTable = domain.AddTable("treaties");

            // Directors can views all treaties 
            treatyTable.Grant(directorRole, DataAction.Select);
            
            // Managers can view treaties from their units
            treatyTable.Grant(managerRole, DataAction.Select, AccessLevel.Unit);
            // Managers can insert treaties
            treatyTable.Grant(managerRole, DataAction.Insert);
            // Managers can update their treaties
            treatyTable.Grant(managerRole, DataAction.Update, AccessLevel.Own);
            // Managers can delete their treaties
            treatyTable.Grant(managerRole, DataAction.Delete, AccessLevel.Own);

            // Connecting as the first manager
            var firstManagerDomain = domain.Logon("first_manager", "P@ssw0rd");
            // Connecting as the second manager
            var secondManagerDomain = domain.Logon("second_manager", "P@ssw0rd");
            // Connecting as the third manager
            var thirdManagerDomain = domain.Logon("third_manager", "P@ssw0rd");
            // Connecting as the boss
            var bossDomain = domain.Logon("boss", "P@ssw0rd");

            // Each manager is inserting a treaty
            firstManagerDomain.GetTable("treaties").InsertRow();
            secondManagerDomain.GetTable("treaties").InsertRow();
            thirdManagerDomain.GetTable("treaties").InsertRow();

            Console.WriteLine("The boss: treaty count = {0}", bossDomain.GetTable("treaties").RowCount);
            Console.WriteLine("The first manager: treaty count = {0}", firstManagerDomain.GetTable("treaties").RowCount);
            Console.WriteLine("The second manager: treaty count = {0}", secondManagerDomain.GetTable("treaties").RowCount);
            Console.WriteLine("The third manager: treaty count = {0}", thirdManagerDomain.GetTable("treaties").RowCount);
            }
      }
}

Last edited Mar 12, 2012 at 7:57 PM by mapase, version 7

Comments

No comments yet.