Application Security, Part 27

  • Article

So, let us follow these four steps to populate the authorization store for our application.  We begin by creating operations that map to menu options and buttons on the main form of the application. An additional operation, called, Miscellaneous, is created to represent actions that have no security implications, that any user of the application would be permitted to perform. Each operation is assigned a number that must be unique.

Next we create tasks to represent what users could want to accomplish with the applications. For our particular application, which has menu items for adding new projects, adding tasks to projects, as well as controls for recording the current status of a project task, we create an Authorization Manager task for managing projects, which would include creating new projects, and adding tasks to projects. We create a task for updating the progress of a project task. Finally, we create a task that represents merely using the application itself.

Now we can associate operations with our tasks. With the project management task, we associate the operations of selecting the menu options for creating a new project, for adding tasks to a project, and for exporting data to Microsoft Project.

Next, we define the roles that we had envisaged for our application: project manager, project resources—who would be the main users of the application, entering data about the progress of their tasks—and assistants, who would be allowed to view and print data, but not modify it. Once the roles have been defined, we can specify the tasks that users in each of the roles may accomplish with the application. Project managers are entitled to undertake any of the three tasks we defined. Project resources would be allowed to operate the application and update the progress of project tasks. Assistants would merely be allowed to operate the application, not being permitted to update the progress of project tasks, and certainly not to manage a project. Finally, we can associate Windows users and groups with the project roles.