Role-Based Security

The cornerstone of COM+ access control is role-based security. A role is a symbolic category of users who share the same security privileges. When you assign a role to an application resource, you grant access to that resource to whoever is a member of that role.

Configuring Role-Based Security

The best way to explain role-based security is by demonstration. Suppose you have a COM+ banking application. The application contains one component, the bank component. The bank component supports two interfaces that allow users to manage bank accounts and loans, defined as:

interface IAccountsManager : IUnknown
{
   HRESULT TransferMoney([in]int nSum,[in]DWORD dwAccountSrc,
                         [in]DWORD dwAccountDest);
   HRESULT OpenAccount([out,retval]DWORD* pdwAccount);
   HRESULT CloseAccount([in]DWORD dwAccount);
   HRESULT GetBalance([in]DWORD dwAccount,[out,retval]int* pnBalance);
};
interface ILoansManager : IUnknown
{
   HRESULT Apply([in]DWORD dwAccount,[out,retval]BOOL* pbApproved);
   HRESULT CalcPayment([in]DWORD dwSum,[out,retval]DWORD* pdwPayment);
   HRESULT MakePayment([in]DWORD dwAccount,[in]DWORD dwSum);
};

During the requirements-gathering phase of the product development, you discovered that not every user of the application should be able to access every method. In fact, there are four kinds of users:

The bank manager, the most powerful user, can access all methods on all interfaces of the component.
The bank teller can access all methods of the IAccountsManager interface, but is not authorized ...

Get COM & .NET Component Services now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

COM & .NET Component Services by Juval Lowy

Role-Based Security

Configuring Role-Based Security

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly