ServiceAuthorizationManager and PrincipalPermission

You may face a problem when trying to check for Principal permission and demand in the CheckAccessCore of the SerivceAuthorizationManager and you might see a security exception. This is primarily because the threads principal is not set when this demand check in the SAM happens.

 

You can however do a Principal Permission check within the operation either by a Demand() operation for the principal or delcaratively in code. This what Brent Schmaltz who helped with this issue said.

"There are two advantages of the SAM approach it is:

1. centralized and every call will be routed through there.  This avoids what I like to call the ‘fractured policy system” where one needs to touch all access points to understand the authorization policy.  This is similar to the File System.  For example with this method it is difficult to answer:  Can X access Y, without having X attempt to access Y?
2. called way up the stack and is hence has a performance advantage."

 

The solutions was to check the WindowsClaimSet. This claim set holds all the SIDs that is required and we can check the claim set if the SID of the group you require exits and bump the user out and authorizer the user using this. Basically you have a collection of SecurityIdentifiers in the WindowsClaimSet.

Next time - Checking SID's in the WindowsClaimSet