In EmpowerID, when Operation activities are invoked at runtime, a real-time approval authorization process is triggered to ensure that the user executing the code within the Operation activity has the right to do so. If the user has been granted the right, the code executes and the workflow continues; if the user does not have the right, the workflow routes to operation to an approver who must approve the task before the code will execute. By providing an operation framework, activities are extended to support RBAC authorization, audit logging and an entire approval process with email notifications and task lists.
In the case that normal RBAC authorization processes need to be overridden or added to, EmpowerID provides an Authorization Manager class library in Workflow Studio, allowing you to add your own custom authorization manager class to handle unique operational authorization situations. You can create a class in Workflow Studio inside the Authorization Manager class library that inherits from the IAuthorizationManager class and by overriding the authorization methods specific to the operation you wish to effect. These methods are as follows:
In addition to creating the custom Authorization Manager class, you also need to specify the Authorization Manager Assembly and Authorization Manager Type in EmpowerID Management Console for the specific Resource Type operation(s) affected, setting the values to that of the assembly that gets created when you publish the class library and that of the full name of your custom class. Once you have accomplished this, EmpowerID will use the authorization manager specified for the operation when it is run.
In this topic, we demonstrate how to create a custom Authorization Manager class that adds members of an IT Admin group to the list of approvers for the Provision Computer and Move Computer operations. We demonstrate this by doing the following:
From Solution Explorer, search for AuthorizationManagerClassLibrary and then double-click the Authorization Manager Class Library template.
Workflow Studio opens a stubbed Authorization Manager Class Library class in the Workspace.
Implement the GetApprovers() method
Your class library should look similar to the following example. Please note that the name of your class will differ accordingly.
public class AddComputertoLocAuthorizationManager : IAuthorizationManager { public bool HasAccess(Person Requestor, ResourceType ResourceType, E.TList<Resource> TargetResources, ResourceTypeOperation operation, Dictionary<string, object> Parameters) { } public E.VList<PersonPrincipal> GetApprovers(Person Requestor, ResourceType ResourceType, E.TList<Resource> TargetResources, ResourceTypeOperation operation, Dictionary<string, object> Parameters) { } } |
Determine whether the Requestor has access for the current operation
In the below example code, we are checking to see if the requestor has a title that contains IT Admin. If the requestor does, then the method returns true; otherwise, it returns false.
public bool HasAccess(Person Requestor, ResourceType ResourceType, E.TList<Resource> TargetResources, ResourceTypeOperation operation, Dictionary<string, object> Parameters) { if (Requestor.Title.ToSafeString().ToLower().Contains("IT Admin")) { return Resource.HasAccess(Requestor.PersonID, TargetResources, operation.Name); return true; } else { return Resource.HasAccess(Requestor.PersonID, TargetResources, operation.Name return false; } } |
Return RBAC approvers if there are no IT Admin approvers available
The code should look similar to the below example.
public E.VList<PersonPrincipal> GetApprovers(Person Requestor, ResourceType ResourceType, E.TList<Resource> TargetResources, ResourceTypeOperation operation, Dictionary<string, object> Parameters) { E.VList<PersonPrincipal> RbacApprovers = PersonPrincipal.GetRbacApprovers(operation.Name, TargetResources); var ITAdmins = Person.GetByGroupID(54); E.VList<PersonPrincipal> ITAdminApprovers = new E.VList<PersonPrincipal>((from a in ITAdmins join b in RbacApprovers on a.PersonID equals b.PersonID select b).ToList()); if (ITAdminApprovers.Count > 0) { return ITAdminApprovers; } else { return RbacApprovers; } } |
IN the Authorization Manager Assembly field, enter the name of the Authorization Handler assembly you just created above, followed by the version number, Culture, and PublicKeyToken information as comma separated values. This entry should look similar to AddComputerToLocation,Version=4.0.180.1,Culture=neutral,PublicKeyToken=2d2253f74d4496ef where MyCustomAttributeFlowHandler and Version=4.0.180.1 is the respective name and version number of the assembly in your environment.
EmpowerID PublickeyToken values are always 2d2253f74d4496ef. |
The next time the Create Computer operation is called in a workflow, the custom Authorization Manager should be invoked.
|