Is there a way to do "AND" in Net SQL AzMan instead of "OR"?

Question

All of the settings in Net SQL AzMan seem to be "OR" based.

For example:

If you add 3 (Authorized) Application Groups to an operation, a user needs to be in the first OR the second OR the third to have permissions for the operation.

I am looking for a way to say the user needs to be in (the first AND the second) OR (the first AND the third).

Is there a way to do that?

Reason Why:
We have users that snowball permissions as they move from department to department. I want to setup one role per Active Directory Departement ("the first" in my example above). If I can get the above logic working then when the user changes departments they will lose the permissions from their former department (even if their boss is lazy and does not get AzMan updated).

If I can't get this working in AzMan, then I can have my apps do it. But it would be so much easier at the AzMan level.

Answer 1

You could do this with a BizRule on the operation. The code for it is a bit overkill, but this should work with minimal modifications.

using System;
using System.Security.Principal;
using System.IO;
using System.Data;
using System.Collections;
using System.Collections.Specialized;
using System.Collections.Generic;
using System.Text;
using NetSqlAzMan;
using NetSqlAzMan.Interfaces;

using System.Security.Principal;
using System.Reflection;

namespace APPLICATION.BizRules
{
    public sealed class BizRule : IAzManBizRule
    {
        public BizRule()
        { }

        public bool Execute(Hashtable contextParameters, IAzManSid identity, IAzManItem ownerItem, ref AuthorizationType authorizationType)
        {
            string sqlConnectionString = "data source=DATABASE_FQN;initial catalog=DATABASE;Integrated Security=false;User Id=USER_NAME;Password=PASSWORD";

            IAzManStorage storage = new SqlAzManStorage(sqlConnectionString);

            try
            {
                bool authorized = false;
                if (identity.StringValue.StartsWith("S"))
                {
                    //this is a little over kill but there is no way to reference standard .net libraries in NetSqlAzMan
                    Assembly asm = Assembly.Load(@"System.DirectoryServices.AccountManagement, Version=3.5.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089");

                    System.Type userPrincipalType = asm.GetType("System.DirectoryServices.AccountManagement.UserPrincipal");
                    System.Type principalContextType = asm.GetType("System.DirectoryServices.AccountManagement.PrincipalContext");
                    System.Type contextTypeType = asm.GetType("System.DirectoryServices.AccountManagement.ContextType");
                    System.Type identityTypeType = asm.GetType("System.DirectoryServices.AccountManagement.IdentityType");

                    Object principalContext = Activator.CreateInstance(principalContextType, new object[] { Enum.ToObject(contextTypeType, 1), "DENALLIX" });

                    MethodInfo methodInfo = userPrincipalType.GetMethod("FindByIdentity", new Type[] { principalContextType, identityTypeType, typeof(string) });

                    Object userPrincipal = methodInfo.Invoke(null, new object[] { principalContext, Enum.ToObject(identityTypeType, 4), identity.StringValue });
                    string userPrincipalName = userPrincipal.GetType().GetProperty("UserPrincipalName").GetValue(userPrincipal, null).ToString();

                    WindowsIdentity user = new WindowsIdentity(userPrincipalName);

                    authorized = (checkRoleAuthorization(storage, "GROUP1", user) && checkRoleAuthorization(storage, "GROUP2", user)) || checkRoleAuthorization(storage, "GROUP3", user);
                }
                else
                {
                    AzManUser user = new AzManUser(identity);
                    authorized = (checkRoleAuthorization(storage, "GROUP1", user) && checkRoleAuthorization(storage, "GROUP2", user)) || checkRoleAuthorization(storage, "GROUP3", user);
                }


                return authorized;
            }
            catch (SqlAzManException ex)
            {
                return false;
            }
        }

        private bool checkRoleAuthorization(IAzManStorage storage, string roleName, object user)
        {
            AuthorizationType auth = AuthorizationType.Deny;            
            if (user is WindowsIdentity)
            {
                auth = storage.CheckAccess("MY STORE", "MY APPLICATION", roleName, (WindowsIdentity)user, DateTime.Now, true);                
            }
            else
            {
                auth = storage.CheckAccess("MY STORE", "MY APPLICATION", roleName, (IAzManDBUser)user, DateTime.Now, true);                
            }
            return auth == AuthorizationType.Allow || auth == AuthorizationType.AllowWithDelegation;
        }

    }
    public partial class AzManUser : IAzManDBUser
    {
        private Dictionary<string, object> _customColumns = new Dictionary<string, object>();

        private IAzManSid _sid;
        private string _username;

        public AzManUser(string username, string sid)
        {
            _username = username;
            _sid = new NetSqlAzMan.SqlAzManSID(sid);
        }

        public AzManUser(string sid)
        {
            _username = string.Empty;
            _sid = new NetSqlAzMan.SqlAzManSID(sid);
        }

        public AzManUser(IAzManSid sid)
        {
            _username = string.Empty;
            _sid = sid;
        }

        public Dictionary<string, object> CustomColumns
        {
            get { return _customColumns; }
        }

        public IAzManSid CustomSid
        {
            get
            {
                return _sid;
            }
        }

        public string UserName
        {
            get { return _username; }
        }
    }
}