Ayende @ Rahien

My name is Oren Eini
Founder of Hibernating Rhinos LTD and RavenDB.
You can reach me by phone or email:


+972 52-548-6969

, @ Q c

Posts: 10 | Comments: 37

filter by tags archive

Authorization DSL

time to read 1 min | 112 words

Here is a tidbit that I worked on yesterday for the DSL book:

operation "/account/login"

if Principal.IsInRole("Administrators"):
	Allow("Administrators can always log in")

if date.Now.Hour < 9 or date.Now.Hour > 17:
	Deny("Cannot log in outside of business hours, 09:00 - 17:00")

And another one:

if Principal.IsInRole("Managers"):
	Allow("Managers can always approve orders")

if Entity.TotalCost >= 10_000:
	Deny("Only managers can approve orders of more than 10,000")
Allow("All users can approve orders less than 10,000")

There is no relation to Rhino Security, just to be clear.

I simply wanted  a sample for a DSL, and this seems natural enough.


Rik Hemsley

This looks like normal code to me... apart from the context setting first line. What makes it a DSL?

Ayende Rahien


This is normal code. In specific context, using a specific set of scenario.

This is supposed to be an example of a technical DSL.

What you see is the entire file, and you have whole sets of them.

Nick Parker

This is probably a good example of why people are flocking to Ruby, writing a DSL for something like this becomes very easy.

Bill Pierce

IIRC, ADAM/AzMan has a similar capability using VBScript to validate defined Operations, however it requires Active Directory.


I keep having trouble with the operations named like paths or URLs. This sounds logical only if you're developing a web app, and even then it's not always the correct mapping. I'd rather go wilder and do something like:

operation login in account

Also, for a DSL I think I'd rather do something more like "if user in Managers" over "if Prinicpal.IsInRole("Managers")".

Ayende Rahien


Yes, that would be much nicer. But I am trying to show a simple DSL, not taking it to the far end.

How do you structure operations if they are free text?

There is a good reason that I like the path approach, they are very easily recognizable, have meaningful names and intrinsically hierarchical.


As this should be DSL I would like a approach like

if Not FormalDate.CurrentHour between 9 And 17:

Deny("Cannot log in outside of business hours, 09:00 - 17:00")

Ayende Rahien

This is actually possible with a patch to Boo :-)

Macro operators


Ayende, qualified names are also meaningful and intrinsically hierarchical without resorting to string parsing. I'm uncomfortable seeing "/account/login", but less so when I see account.login.

Ayende Rahien


Paths are my preferences, they are immediately recognizable.

I have no issues, however, with structured strings that uses other delimiters. "account.login" or "order.approve" are just fine.

I actually built a system with that convention, it worked nicely.


Oh, I didn't mean a structured string. I meant a structured identifier. No quotes. I used period as delimiter because Boo's syntax allows qualified names as reference expressions, which is good for this scenario. The delimiter itself isn't important, it's the difference between a string literal that "looks" like a structured identifier (but requires parsing) and a qualified name, which is a structured identifier.

Ayende Rahien

Oh, good point.

I am thinking more about the more general approach, specifically with relation to Rhino Security, which uses that approach


"if Not FormalDate.CurrentHour between 9 And 17:

Deny("Cannot log in outside of business hours, 09:00 - 17:00")"

I wish you could write even in more a bit of an "english":

if now.not.between 09:00 and 17:00


Ayende Rahien


This is actually possible.

Comment preview

Comments have been closed on this topic.


  1. Production postmortem: The case of the memory eater and high load - about one day from now
  2. Production postmortem: The case of the lying configuration file - 3 days from now
  3. Production postmortem: The industry at large - 4 days from now
  4. The insidious cost of allocations - 5 days from now
  5. Find the bug: The concurrent memory buster - 6 days from now

And 4 more posts are pending...

There are posts all the way to Sep 10, 2015


  1. Find the bug (5):
    20 Apr 2011 - Why do I get a Null Reference Exception?
  2. Production postmortem (10):
    14 Aug 2015 - The case of the man in the middle
  3. What is new in RavenDB 3.5 (7):
    12 Aug 2015 - Monitoring support
  4. Career planning (6):
    24 Jul 2015 - The immortal choices aren't
View all series


Main feed Feed Stats
Comments feed   Comments Feed Stats