您的位置: 首页  >  技术问答  >  有没有办法在Net SQL AzMan中执行“AND”而不是“OR”?

有没有办法在Net SQL AzMan中执行“AND”而不是“OR”?

分类: 技术问答 2022-08-23 10:41:11
问题描述:

Net SQL AzMan中的所有设置似乎都是基于“或”的。有没有办法在Net SQL AzMan中执行“AND”而不是“OR”?

例如:

如果添加3(授权)应用程序组的操作中,用户需要在所述第一或第二或第三具有用于操作的权限。

我正在寻找一种方法来说用户需要在(第一个和第二个)或(第一个和第三个)。

有没有办法做到这一点?

原因:
我们,因为他们从一个部门转移到部门雪球权限的用户。我想为每个Active Directory Departement设置一个角色(在上面的示例中为“第一个”)。如果我能够得到上述逻辑,那么当用户更改部门时,他们将失去原来部门的权限(即使他们的老板很懒,也没有得到AzMan更新)。

如果我无法在AzMan中使用此工作,那么我可以让我的应用程序执行此操作。但是在AzMan级别上它会容易得多。

你可以在操作上用BizRule做到这一点。它的代码有点矫枉过正,但这应该只需要很少的修改。

using System; 
using System.Security.Principal; 
using System.IO; 
using System.Data; 
using System.Collections; 
using System.Collections.Specialized; 
using System.Collections.Generic; 
using System.Text; 
using NetSqlAzMan; 
using NetSqlAzMan.Interfaces; 

using System.Security.Principal; 
using System.Reflection; 

namespace APPLICATION.BizRules 
{ 
    public sealed class BizRule : IAzManBizRule 
    { 
     public BizRule() 
     { } 

     public bool Execute(Hashtable contextParameters, IAzManSid identity, IAzManItem ownerItem, ref AuthorizationType authorizationType) 
     { 
      string sqlConnectionString = "data source=DATABASE_FQN;initial catalog=DATABASE;Integrated Security=false;User Id=USER_NAME;Password=PASSWORD"; 

      IAzManStorage storage = new SqlAzManStorage(sqlConnectionString); 

      try 
      { 
       bool authorized = false; 
       if (identity.StringValue.StartsWith("S")) 
       { 
        //this is a little over kill but there is no way to reference standard .net libraries in NetSqlAzMan 
        Assembly asm = Assembly.Load(@"System.DirectoryServices.AccountManagement, Version=3.5.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089"); 

        System.Type userPrincipalType = asm.GetType("System.DirectoryServices.AccountManagement.UserPrincipal"); 
        System.Type principalContextType = asm.GetType("System.DirectoryServices.AccountManagement.PrincipalContext"); 
        System.Type contextTypeType = asm.GetType("System.DirectoryServices.AccountManagement.ContextType"); 
        System.Type identityTypeType = asm.GetType("System.DirectoryServices.AccountManagement.IdentityType"); 

        Object principalContext = Activator.CreateInstance(principalContextType, new object[] { Enum.ToObject(contextTypeType, 1), "DENALLIX" }); 

        MethodInfo methodInfo = userPrincipalType.GetMethod("FindByIdentity", new Type[] { principalContextType, identityTypeType, typeof(string) }); 

        Object userPrincipal = methodInfo.Invoke(null, new object[] { principalContext, Enum.ToObject(identityTypeType, 4), identity.StringValue }); 
        string userPrincipalName = userPrincipal.GetType().GetProperty("UserPrincipalName").GetValue(userPrincipal, null).ToString(); 

        WindowsIdentity user = new WindowsIdentity(userPrincipalName); 

        authorized = (checkRoleAuthorization(storage, "GROUP1", user) && checkRoleAuthorization(storage, "GROUP2", user)) || checkRoleAuthorization(storage, "GROUP3", user); 
       } 
       else 
       { 
        AzManUser user = new AzManUser(identity); 
        authorized = (checkRoleAuthorization(storage, "GROUP1", user) && checkRoleAuthorization(storage, "GROUP2", user)) || checkRoleAuthorization(storage, "GROUP3", user); 
       } 


       return authorized; 
      } 
      catch (SqlAzManException ex) 
      { 
       return false; 
      } 
     } 

     private bool checkRoleAuthorization(IAzManStorage storage, string roleName, object user) 
     { 
      AuthorizationType auth = AuthorizationType.Deny;    
      if (user is WindowsIdentity) 
      { 
       auth = storage.CheckAccess("MY STORE", "MY APPLICATION", roleName, (WindowsIdentity)user, DateTime.Now, true);     
      } 
      else 
      { 
       auth = storage.CheckAccess("MY STORE", "MY APPLICATION", roleName, (IAzManDBUser)user, DateTime.Now, true);     
      } 
      return auth == AuthorizationType.Allow || auth == AuthorizationType.AllowWithDelegation; 
     } 

    } 
    public partial class AzManUser : IAzManDBUser 
    { 
     private Dictionary<string, object> _customColumns = new Dictionary<string, object>(); 

     private IAzManSid _sid; 
     private string _username; 

     public AzManUser(string username, string sid) 
     { 
      _username = username; 
      _sid = new NetSqlAzMan.SqlAzManSID(sid); 
     } 

     public AzManUser(string sid) 
     { 
      _username = string.Empty; 
      _sid = new NetSqlAzMan.SqlAzManSID(sid); 
     } 

     public AzManUser(IAzManSid sid) 
     { 
      _username = string.Empty; 
      _sid = sid; 
     } 

     public Dictionary<string, object> CustomColumns 
     { 
      get { return _customColumns; } 
     } 

     public IAzManSid CustomSid 
     { 
      get 
      { 
       return _sid; 
      } 
     } 

     public string UserName 
     { 
      get { return _username; } 
     } 
    } 
}
+0

谢谢你为此付出的努力。但是,这对于大量权限来说是不可持续的。保持跟踪和更新所有这些代码最好是有问题的。唉,我想我必须找到一个外部解决方案。 – Vaccano 2012-08-06 22:31:01

相关推荐