Roles

Another way to protect the components being called by unauthorized users is to add roles to a COM+ application.This will only work if you determine in what capacity, or role, users are allowed to make use of a COM+ application. It is a perfect way to add business security to your COM+ application. For example, within a bank, a teller is allowed only to perform transfer transactions up to $5,000, and teller supervisors can have a transaction limit of $15,000. By adding roles to the transaction component, you can check if a user, based on his or her function, stays within his or her transfer limits.

First, let's look at how the declarative part of roles is implemented by the XLANG Scheduler:

1. Go to the Component Services.

2. Expand Roles under XLANG Scheduler.

3. You see four roles: XLANG Schedule Creator, XLANG Schedule User, XLANG Scheduler Administrator, and XLANG Scheduler Application.

4. Expand the four roles.

5. Expand Users under each role.

Three of the roles have Everyone as an assigned group (Figure 8.19). Since this is not much security, change this as soon as possible. Therefore, you need to know what these roles stand for:

■ XLANG Schedule Creator is able to run an XLANG schedule instance. If the caller's identity—hence, user account—is not assigned to this role, it is not allowed to start a schedule; instead, an error is displayed. This unauthorized attempt will also show up in the event log.

■ XLANG Schedule User is able to make calls to a running XLANG schedule instance; for example, to retrieve status information. Again, if the user is not assigned to the role, and he or she makes an unauthorized call, an error message is displayed and an event log entry is made.

■ XLANG Scheduler Administrator is able to monitor and influence the running of the XLANG Scheduler engines and the active instances.

■ XLANG Scheduler Application is the role that reflects the identity of the scheduler and is therefore the role the service account is playing.

Figure 8.19 Listing the Users Assigned to the XLANG Scheduler Roles

Figure 8.19 Listing the Users Assigned to the XLANG Scheduler Roles

Roles can be assigned to different levels within the COM+ application:

■ The component

■ An interface within a component

■ A method within an interface

A lower level automatically inherits the role setting from a higher level, and you always should assign roles at the highest possible level. Again, this is something you already defined in the design phase of your BizTalk application, so at this stage, you only assign users in the operational environment to the roles defined within the different COM+ applications.

First, substitute the Everyone in the roles to the appropriate user/group accounts. For example, you need to link the service account for the XLANG Scheduler application to the role XLANG Scheduler application. Follow these steps:

1. Select the Users folder of the XLANG Scheduler Application role.

2. Right-click the folder, and select New | User.

3. The Select Users and Groups dialog appears, and you can select the service account for XLANG Scheduler.

4. Press Add, followed by OK. The dialog closes and the user is added to the Users folder. Now you need to delete Everyone.

5. Select the object Everyone.

6. Right-click it, and select Delete.

7. A dialog appears asking you to confirm. Press Yes, and you are done.

Let's see how a role can be added to the WkFlow.SysMgr component, to show the ease with which you can apply roles:

1. Expand the Components folder.

2. Right-click WkFlow.SysMgr, and select Properties.

3. Select the Security tab (Figure 8.20).

Figure 8.20 The Security Tab in the WkFlow.SysMgr Properties Window

Figure 8.20 The Security Tab in the WkFlow.SysMgr Properties Window

The option Enforce component level access checks is checked. If this option is grayed out, you did not select the option Perform access checks at the process and component level on the Security tab of the COM+ application Properties window. Although this option was set at application level, you can still deactivate it for individual components.

Below the Authorization option is the list of roles defined for the XLANG Scheduler application, and only XLANG Scheduler Administrator is checked, You could deselect this role and/or select one or more of the other roles. In case the authorization option is grayed out, you will not be able to change the role setting. Now, let us assume you want to set the XLANG Schedule Creator role for the Startup method of the IWFSystemAdmin interface.

1. Expand the WkFlow.sysMgr component.

2. Expand the Interfaces folder.

3. Expand the IWFSystemAdmin interface.

4. Expand the Methods folder.

5. Right-click the StartUp method, and select Properties.

6. Select the Security tab.

You see two role lists (Figure 8.21).The upper list shows the inherited roles; in our case, this only contains XLANG Schedule Administrator. The lower list shows all available roles.

1. Select the check box XLANG Schedule Creator.

2. Press OK, and you have activated this role explicitly for this method.

Figure 8.21 The Roles Assigned to the IWFSystemAdmin.StartUp Method

Figure 8.21 The Roles Assigned to the IWFSystemAdmin.StartUp Method

To be sure these modifications are picked up right away, restart the XLANG Scheduler COM+ application.

It is just as easy to add new roles to a COM+ application as it was to add roles to a component or method:

1. Select the Roles folder under the XLANG Scheduler application.

2. Right-click it, and select New | Role.

3. Enter a name for the role, and press OK.

4. A dialog appears with the statement: "The XLANG Scheduler application was created by XLANG Scheduler Setup. Are you certain that the changes you are about to make are supported by XLANG Scheduler Setup?"

After making all the necessary changes to the XLANG Scheduler application, be sure to "lock" the properties of this COM+ application by selecting the check box Disable Changes in the Advanced tab in the XLANG Scheduler Properties window.

Was this article helpful?

0 0

Post a comment