How do I write a server-side method in C# to capture server event onBeforeGet to deny a search or read request?

I need to do some extra check on user information before grant the user read access to an item. Is this a right approach? If so, what should I return in the deny situation to not break the client application?

Parents
  • Hi Mx,

    Martin is right. MAC Policies are able to leverage user information to grant and deny access to various items. I'd recommend reading this blog post to get a better understanding of the kinds of things you could accomplish using MAC Policies. They're an incredibly powerful tool when utilized properly.

    AJ

  • In my use case, the validation/verification process is more complicated than MAC. I basically wants to know the user ID, which could be from federation SSO process. I need a more dynamic decisions than MAC. A good code snippet would be C#, get the current user ID and current Item, and call an outside service, and decide whether to allow access of the item or deny. In deny, what can I return so not to break the client application.

  • I think you could save yourself work by using MAC policies, if I was trying to do this I would look at creating a Environment Attribute Method which called the outside service. see 3 Appendix: Writing an Environment Attribute Method the basic Idea is when you use the property in your MAC it calls the method and expects a Boolean back. attribute.SetValue(true/false);

    You could also use ItemType server events: OnBeforeGet and onGet.

    OnBeforeGet. You can use an OnBeforeGet server action to check the user's details before each item is returned (best used if you are returning single items as this will check the users details for each item).
    You can then return an 'error' to prevent the user retrieving an item:
    Innovator inn = this.getInnovator();
    return inn.newError("Error string goes here");
    You could also use this.removeProperty("property") to prevent users from retrieving specific properties.

    OnGet. If you 'Federated' a separate item. You can use a OnGet event to override the default Item behaviour, this will allow you to check the user's credentials once and retrieve the actual items you wish to display.
    This way you can choose to return an error (as above), or you can omit some results from the Get.  This will give you more control over what, if anything is returned. 
    I.e. you could use a select attribute to only return some properties for some users.

    I hope this helps.
    Many thanks,
    Martin.

Reply
  • I think you could save yourself work by using MAC policies, if I was trying to do this I would look at creating a Environment Attribute Method which called the outside service. see 3 Appendix: Writing an Environment Attribute Method the basic Idea is when you use the property in your MAC it calls the method and expects a Boolean back. attribute.SetValue(true/false);

    You could also use ItemType server events: OnBeforeGet and onGet.

    OnBeforeGet. You can use an OnBeforeGet server action to check the user's details before each item is returned (best used if you are returning single items as this will check the users details for each item).
    You can then return an 'error' to prevent the user retrieving an item:
    Innovator inn = this.getInnovator();
    return inn.newError("Error string goes here");
    You could also use this.removeProperty("property") to prevent users from retrieving specific properties.

    OnGet. If you 'Federated' a separate item. You can use a OnGet event to override the default Item behaviour, this will allow you to check the user's credentials once and retrieve the actual items you wish to display.
    This way you can choose to return an error (as above), or you can omit some results from the Get.  This will give you more control over what, if anything is returned. 
    I.e. you could use a select attribute to only return some properties for some users.

    I hope this helps.
    Many thanks,
    Martin.

Children