0

In this article (http://www.codemag.com/Article/0001308101) it is suggested that claims can be used to grand/deny certain types of access to data rows.

To be more specific: the article mentions:

public void ProtectedMethod()
{
    ClaimsPrincipalPermission.CheckAccess("bankaccount|1234", "Read"); 
    // Perform protected task.
}

In my opinion (please correct me if I am wrong) this suggests that access to data rows (in this case bank account numbers) can be managed with claims.

So far I get the picture and find this doable (well I think).

Now, imagine I want to query a list of all the account numbers a user may access. In a non-claimed-based scenario we could query the database like:

var list = db.BankAccounts.Where(c => c.UserId == userId);

in a claim based scenario it would mean something like (just an example scenario):

var list = db.BankAccounts.Where(c => 
    ClaimsPrincipalPermission.CheckAccess("bankaccount|1234", "Read"))

But this doesn't really feel right.

Am I missing a crucial part? Or is it not really a good idea to protect access to data rows in this way?

UPDATE

After reading Wiktor Zychla's answer and comments I am still confused: at the moment the claims are stored in a claims table. The BankAccounts are stored in another table.

So basically I see this as options:

1) Query the bank accounts and join with the claims table (or cached data).

But I am still not sure this is the right approach.

Stefan
  • 17,448
  • 11
  • 60
  • 79
  • I guess what you miss is that although physically claims are stored somewhere (in a table), upon authentication they are stored in a cookie that establishes a local session for a user. You retrieve a claim from there, not from the table to use it in a current user session. – Wiktor Zychla May 11 '14 at 19:22
  • @WiktorZychla: Okay, I was missed that one indeed. I'll have to review my project-setup. I thought I could use claims as a 'per-row' kind of authorization. But adding cookie-data for "read/write/delete/etc" per data-row will blow up the cookie quite quick. Thanks anyhow :) – Stefan May 11 '14 at 20:29

1 Answers1

1

Claims are just pairs of name-value. It is perfectly valid to have a custom claim for user id.

This means that you don't have to stick with this CheckAccess method. Rather, find a needed claim (user name, user id, whatever) and use its value like you would use the id in the former example.

Wiktor Zychla
  • 47,367
  • 6
  • 74
  • 106
  • So, if I am not mistaken that would suggest a database join query to the claims table? – Stefan May 11 '14 at 17:58
  • No, a where clause using a claim value. It doesn't matter where is the original source of the claim as long as you have its value. – Wiktor Zychla May 11 '14 at 18:06