How DCS Authorizes Requests

A DCS service can authorize access to an operation based on the claims provided in the security header of the request message sent by a client application. These claims contain authenticated information about the identity of the user running the client application. For more information, see How DCS Authenticates Requests. The model that DCS implements for examining claims is highly customizable. However, the example authorization provider, implemented by the RoleBasedAuthorizationManager class in the Microsoft.ConnectedIndustry.ServiceModel.Application assembly supplied with DCS performs role-based authorization based on Windows groups. You can use this role provider to grant access or deny access to service operations based on whether the Windows identity of the user who requested the operation is a member of a specific Windows group. If your service uses a different claim set to authorize users, you can build your own custom authorization provider.

A developer can extend the RoleBasedAuthorizationManager class to provide customized functionality. By default, this class uses information from a section called authorizationRequirements in the Web.config file of the DCS Service to determine which operations a Windows group can access. The following code shows the skeleton of an implementation that retrieves authorization information from a SQL Server database instead.


                  public class SQLBasedRoleBasedAuthorizationManager : RoleBasedAuthorizationManager
{
    //Don't call base class constructor as it will look for 
    //authorizationRequirements section in config file
    public SQLBasedRoleBasedAuthorizationManager()//: base()
    {
        RoleBasedAuthorizationManager.accessRequirements = new Dictionary<string, List<string>>();
        //TODO: Connect to SQL Server and get list of roles and operation names

        //TODO: Add operation name as key and roles as value in the accessRequirements dictionary
    }
}

                

To configure a DCS service to perform authorization, you should follow these steps:

  1. Use the DCS Management Services console to add a security policy to the service. Set the security mode of the service to message-level security, and specify the correct token type (Windows if you are using the default authorization provided, or SAML if you are using a custom authorization provider). For more information, see Configuring Security Policy for a Service.
  2. Edit the Web.config file for the DCS service, add the appropriate authorization provider, and if appropriate, specify the authorization requirements for each operation.
  3. Specify the authorization provider as the service authorization manager in the service behavior section of your service.
Show: