We get up early so that you don't have to. |
Constable Authorization Engine 1.1, $295
LaMarvin
http://www.lamarvin.com/default.asp
One of the measures of .NET's success is that products show up to fill niches that you might not have ever conceptualized as existing. The Constable Authorization Engine is a good example. This product provides a 100% managed code solution to the problem of making sure the authorization logic used by the business tier of an application is correct and consistent, as well as easily verifiable by inspection. You may be saying "huh?" at this point, so let me explain a bit further. Suppose you're designing an application to do some reasonably important business function - say, helping hospitals monitor and deliver prescriptions to patients. In any real-world application like this, there will be a variety of tasks that can be performed: writing prescriptions, dispensing them, actually delivering the drugs to the correct patient, and so on. There will also be a variety of different types of users: pharmacists, physicians, and nurses, for example. The business rules of the application (which you, brilliant developer that you are, will have determined by long and careful analysis in conjunction with your clients) will determine which users can perform which tasks while the application is in what state. If a prescription has been written but not yet dispensed, for example, only a pharmacist should be allowed to actually dispense it.
A single business rule, though, has ramifications that spread through the whole application. It can control which menu items and toolbar items should be active. It can control which data should be visible to a particular user. It can control which fields in a record can be edited. It can need to be applied consistently in multiple clients if you're accessing the data from Web and Windows interfaces, and so on. While all of this is pretty straightforward, the effect can be that you write a whole lot of code to enforce business rules. And if someone later comes along and wants to audit the authorization code, it's hard to point to anything in particular.
That's where the Constable Authorization Engine comes in. With CAZE, you leverage .NET's existing role-based authorization together with a finite state machine model of the system to build a central repository of authorization information. The central player here is the AuthorizationPolicy, which contains information on the possible states of the system, the transitions between states, and the roles in the system. Critically, it also knows which transitions are authorized by which roles. You can set up an AuthorizationPolicy entirely in code, or you can store it in XML form and load it with a single statement. Then, in your code, you create and populate an instance of the AuthorizationPolicy object, set its CurrentPrincipal property to represent the role membership that's trying to perform the action (there's your hook into the existing authorization structure), and tell it what state the system is in (typically, you'd store this as a property of a business object). From there, you have available such useful methods as IsActionExecutable to tell you whether something would be allowed (which makes it easy to selectively enable user interface elements) and ExecuteAction (which transitions the system to a new state if allowed, and throws a PermissionDeniedException otherwise). There's no magic here - you'll still need to perform a code audit to verify that you consistently call the authorization APIs everywhere that you perform an action - but the net effect is to place all the authorization decisions in one spot, and to make the XML policy file a simple artifact that captures the authorization rules for the whole process.
The attention to detail here is excellent. The product installs a good set of examples, as well as help that's integrated with the Visual Studio .NET help and an online tutorial that will walk you through its basic use. You can download a trial version that is fully-functional, except that it's limited to supporting only four roles in an authorization policy.
Mike Gunderloy is the lead developer for Larkware and author of numerous books and articles on programming topics.