Role-based Security in Managed Applications
Role-based security is a common application concept in which the developer makes authorization decisions based on the identity of or roles for the entity on whose behalf an application is executing. The definition of roles is typically application-specific, as are the conditions under which an administrator is willing to authorize specific actions.
It is common for application developers to make authorization decisions based on the identity and roles associated with the execution context. This often occurs in financial or business systems as a means of policy enforcement. For example, you might impose limits on the value of a transaction depending on the role of the user making the request. Clerks might be able to process transactions up to some set value, supervisors to a higher limit, and vice presidents to yet a higher limit. Another example is a business system requiring multiple approvals to complete an action. Consider a purchasing system in which any employee can generate a purchase request, but only a purchasing agent can process that request into a purchase order that can be sent to the supplier.
In the past, such requirements were often handled using proprietary mechanisms. Microsoft first introduced infrastructure to support this type of role-based security with Microsoft Transaction Server, and more recently with COM+ 1.0 Services. The .NET Framework provides similar support but does so in a way that is well integrated into the .NET technology. The .NET Framework role-based security mechanisms offer the following features:
- Provide the ability to check the identity and role of the entity on whose behalf code is executing.
- Integrate well with distributed applications using .NET remoting.
- Work consistently in both client and server execution environments.
- Expose these services to application developers through mechanisms similar to code access security checks.
- Are widespread and always available.
- Are easily configured to use application-defined roles.