The purpose of this project is to allow application developers to enforce what I like to call “Separation of Permissions.” Just as in n-tier architecture, the Authentication and Authorization process can be broken into multiple logical tiers.

At the highest level is the authentication process. This is the step where the user proves, through some recognized authentication mechanism that they are who they claim to be. Without the user being able to prove that they are who they claim to be, the rest of the process falls apart. However, once the user is authenticated through a trusted identity provider, an application can know, with certainty, properties about the user like name, location and contact information. At the enterprise level, users are assigned to enterprise groups, typically based on job role (e.g. Human Resources Employees). Enterprise administrators typically do not get involved application provisioning therefore a separation is drawn at this level. It is, however, more convenient to manage application users as groups rather than individually. Therefore application level roles (e.g. Content Editor) are defined. At the application level, developers have the ability to check role membership directly (e.g. IPrincipal.IsInRole()), but coding these business rules directly into the application is problematic from a maintenance perspective.

Therefore, it’s useful to add one more layer of abstraction by defining application permissions. These permissions can be easily tested directly in code, but which are maintained separately from the core application code. The application level permissions can be organized into broad categories or to very granular functions. Taken to the logical conclusion, every action that a user can perform in an application can have a unique permission. Making the ability to assign permissions to users or groups of users in an easy and common manner would remove the complexity of defining very granular permissions.

Creating a simple and convenient framework for permission management is the ultimate goal of this project.

Last edited Feb 26, 2016 at 7:36 PM by jkitaaic, version 6