Best practices question about authorization/technique for calling “core” business entities Cancel The title field is required!

1. Patrik Wikström

   

   68 posts
   Registered:
   15 Oct 2018
   Answered

   04 Jan 2019

   Link to this post

   Hi!
   
   We have an own class implementation for example for the RestServerSessionActivator and we are using some business entities in that class using their DatasetModels. Is there a good way to restrict access to these business entities from the “outside world” and only allow them to be called from these kinds of core functionality? Calling business entities directly would be one way but one really prefers the DatasetModel way of accessing the business entities. The problem is to identify when the call comes from the “outside world” or use some kind of flag/parameter etc. when calling the business entities from the core functionalities?
2. Mike Fechner

   

   319 posts
   Registered:
   14 Sep 2016
   04 Jan 2019 in reply to Patrik Wikström

   Link to this post

   What exactly do you mean with the "outside" world?
3. Patrik Wikström

   

   68 posts
   Registered:
   15 Oct 2018
   04 Jan 2019 in reply to Mike Fechner

   Link to this post

   Direct calls to the webhandlers on the PAS.
4. Mike Fechner

   

   319 posts
   Registered:
   14 Sep 2016
   04 Jan 2019 in reply to Patrik Wikström

   Link to this post

   Are you using our Authorization tables (security assignment) in the SmartDB?
5. Patrik Wikström

   

   68 posts
   Registered:
   15 Oct 2018
   04 Jan 2019 in reply to Mike Fechner

   Link to this post

   No, we use our own checks (...RequestAuthorizationProvider IMPLEMENTS IRequestAuthorizationProvider).
6. Mike Fechner

   

   319 posts
   Registered:
   14 Sep 2016
   04 Jan 2019 in reply to Patrik Wikström

   Link to this post

   In that case you should implement your own variant of the 
   
   Consultingwerk.OERA.IDatasetModelUseInterfaceProvider. 
   
   You can look at our implementation 
   
   Consultingwerk.OERA.DatasetModelUseInterfaceProvider
   
   as a sample. That implementation tells the DatasetModel's to communicate directly with the Business Entities bypassing the Service Interface (UseInterfaceEnum:ServiceManager) when a SmartFramework business entity calls into a SmartFramework DatasetModel. 
   
   We are using custom variants for this service also in micro-service architectures or DDD implementations when calls within a set of packages do not require authorization checks but calls from outside do required authorization checks. 
   
   In your specific case, it might be sufficient to just always return UseInterfaceEnum:ServiceManager - as your "outside" calls are going through the ServiceInterface into a Business Service first. And all calls made from DatasetModel's can bypass the Service Interface and thus the security checks in the IRequestAuthorizationProvider.
7. Patrik Wikström

   

   68 posts
   Registered:
   15 Oct 2018
   04 Jan 2019 in reply to Mike Fechner

   Link to this post

   Ok, thanks! We'll look into that after upgrading our SCL version because noticed that we don't have those classes (Consultingwerk.OERA.IDatasetModelUseInterfaceProvider, Consultingwerk.OERA.DatasetModelUseInterfaceProvider) or Enum values (UseInterfaceEnum:ServiceManager) in the current version we are using.
8. Mike Fechner

   

   319 posts
   Registered:
   14 Sep 2016
   04 Jan 2019 in reply to Patrik Wikström

   Link to this post

   This feature was released on March 19th 2018. 
   
   "DatasetModels now support a third UseInterface operating mode: via the ServiceManager
   
   In this mode, the DatasetModel's will obtain a reference to the Business Entity directly via the ServiceManager and will bypass the ServiceInterface that way. Performance will be slightly better as we're bypassing both the context handling in the ServiceInterface and the request authorization provider.
   
   The default value for every DatasetModel's UseInterface property is determined by the new Consultingwerk.OERA.IDatasetModelUseInterfaceProvider service (default implementation is DatasetModelUseInterfaceProvider). This class will decide to use the Service Manager, when the caller of the DatasetModel is from the same or a higher package as the DatasetModel and return the use previously in place logic based on the NUM-DBS's function else.
   
   This is in line with our current thinking about domain driven designs based on the SmartComponent Library backend. Customers implementing a DDD architecture and decide to allow direct access between business components within a module/silo/package may implement the rules when to use direct access and when to use the ServiceInterface in a custom implementation of the IDatasetModelUseInterfaceProvider service."
9. Patrik Wikström

   

   68 posts
   Registered:
   15 Oct 2018
   04 Jan 2019 in reply to Mike Fechner

   Link to this post

   It is really time for us to update SCL then! ;)
   Thanks again!