http://ayende.comAyende @ RahienCopyright (C) Ayende Rahien 2004 - 2021 (c) 202660Right, I don't think you could run a rules filter in the database (unless your rule could be expressed as SQL) but you could provide a filter in-memory that uses the association during the load process. I was thinking of something like: Policy_Table PolicyId RuleId RuleType and a one-to-many association between the permission entries table to the Policy table. The Policy is just a collection of rule specifications that can determine the requesting context and each entity that is built is intercepted like Filter(Policy.IsSatisfiedBy(entity)); Not sure that NHibernate could do this, but the larger question is whether a security layer can exist solely in the database. I think that's an interesting problem. http://ayende.com/3113/rhino-security-part-ii-discussing-the-implementation#comment7http://ayende.com/3113/rhino-security-part-ii-discussing-the-implementation#comment7Thu, 24 Jan 2008 14:41:47 GMTMacro, Feel free to send them, I would love to see that. http://ayende.com/3113/rhino-security-part-ii-discussing-the-implementation#comment6http://ayende.com/3113/rhino-security-part-ii-discussing-the-implementation#comment6Thu, 24 Jan 2008 14:09:23 GMT>> Can you show us an example on how to configure Rhino.Security in a real world project (not test suites)? That would be great.. for example in your Hibernating.Forums sample .. if you add the securtiy layer and your ideas on some controller / entities / group of entities as a sample, i can send you patches for the details. http://ayende.com/3113/rhino-security-part-ii-discussing-the-implementation#comment5http://ayende.com/3113/rhino-security-part-ii-discussing-the-implementation#comment5Thu, 24 Jan 2008 14:06:03 GMTRobert, I assume that most of the time, you have a layer super type for your project, so you can register a single one and let the container resolve it for each type, generically. http://ayende.com/3113/rhino-security-part-ii-discussing-the-implementation#comment4http://ayende.com/3113/rhino-security-part-ii-discussing-the-implementation#comment4Thu, 24 Jan 2008 09:09:06 GMTAyende, Can you show us an example on how to configure Rhino.Security in a real world project (not test suites)? I am particularly interested in how would you organize and setup IEntityInformationExtractor classes for multiple domain objects and how would you initialize them in Windsor.boo? Do I have to write "component IEntityInformationExtractor of Account, AccountInfromationExtractor" for each PONO that I have in my app and for which I want to apply security? Thanks, Robert http://ayende.com/3113/rhino-security-part-ii-discussing-the-implementation#comment3http://ayende.com/3113/rhino-security-part-ii-discussing-the-implementation#comment3Thu, 24 Jan 2008 09:02:57 GMTPeter, I'll answer about entities group in another post. About adding rules as well, this is tricky, because how am I going make those kind of rules work in the database? I can deal with most of those through the entities group, except the time based one, I am afraid. http://ayende.com/3113/rhino-security-part-ii-discussing-the-implementation#comment2http://ayende.com/3113/rhino-security-part-ii-discussing-the-implementation#comment2Thu, 24 Jan 2008 04:17:34 GMTAyende, could explain your vision of the EntityGroup a bit more? I quoted your previous comments on the concept but it's not clear to me what the purpose is. "Permissions can be granted and revoked on an Entity Group, and those are applicable to all the entities that are member in this group. This way, business logic that touches permissions doesn't need to be scattered all over the place, when a state change affects the permissions on an entity, it is added or removed to an entity group, which has a well known operations defined on it." -- Wouldn't an entity type have well-known operations defined on it already (i.e., Account.Edit)? And aren't the permissions just the set of privileges within the available operations? "An Entity Group is a way to specify permissions for a set of entities, while the key is the set of permissions on a specific entity" -- Are you intending the EntityGroup to be a security hierarchy? Is I create the AccountGroup with Account.View permission set on it, what is the affect on members of that entitygroup and why? In my own acl security implementation I associated an entity with a default set of permissions that served for any requesting identity NOT in the acl entries table. Is that the point of the EntityGroup? Also, what do you think about a rule extension point to the entry table for a contextual rule. This could be the Policy or set of policy rules which might be "Valid between 9am and 5pm M-F", and "If amount < 1000". The gates are: 1. Can this user perform this operation 2. Can this user perform this operation on this/these entities 3. Can this user perform this operation on these entities under the current context. I'm not sure how one would load up and execute such a rules engine for lists but it could be applied as a specification to filter out the returned entities. http://ayende.com/3113/rhino-security-part-ii-discussing-the-implementation#comment1http://ayende.com/3113/rhino-security-part-ii-discussing-the-implementation#comment1Thu, 24 Jan 2008 03:31:43 GMT