Question
In this article (http://www.codemag.com/Article/0001308101) it is suggested that claims can be used to grand/deny certain types of access to data rows.
To be more specific: the article mentions:
https://stackoverflow.com/questions/23595947
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianpublic void ProtectedMethod()
{
ClaimsPrincipalPermission.CheckAccess("bankaccount|1234", "Read");
// Perform protected task.
}
In my opinion (please correct me if I am wrong) this suggests that access to data rows (in this case bank account numbers) can be managed with claims.
So far I get the picture and find this doable (well I think).
Now, imagine I want to query a list of all the account numbers a user may access. In a non-claimed-based scenario we could query the database like:
var list = db.BankAccounts.Where(c => c.UserId == userId);
in a claim based scenario it would mean something like (just an example scenario):
var list = db.BankAccounts.Where(c =>
ClaimsPrincipalPermission.CheckAccess("bankaccount|1234", "Read"))
But this doesn't really feel right.
Am I missing a crucial part? Or is it not really a good idea to protect access to data rows in this way?
UPDATE
After reading Wiktor Zychla's answer and comments I am still confused: at the moment the claims are stored in a claims table. The BankAccounts are stored in another table.
So basically I see this as options:
1) Query the bank accounts and join with the claims table (or cached data).
But I am still not sure this is the right approach.
Solution
Claims are just pairs of name-value. It is perfectly valid to have a custom claim for user id.
This means that you don't have to stick with this CheckAccess method. Rather, find a needed claim (user name, user id, whatever) and use its value like you would use the id in the former example.
