Lamenting the lack of full DDL triggers and SQLCLR in SQL Azure

By -

Recently I have been working with an alpha release of Aditibus™ Policy Server which supports some nice features well beyond the traditional role based access control (RBAC). Some of these features include native support for:

  • Geospatial Constraints – base on physical location of user
  • Historical Constraints – based on user’s past actions or other’s actions
  • Temporal  Constraints – based on time, for example, is someone on duty or not
  • Policy Effectivity – ability to set policy rules to be turned on or off in the future automatically
  • Strict Delegation – giving someone else a set of permissions and by doing so, you no longer have those permissions until you recall the permissions
  • Soft Delegation  --giving someone else a set of permissions and by doing so, you still retain those permissions until you revoke the permissions (or someone removes those permission from you)
  • Obligation – following the UCONabc model

Aditibus™ recommended interface for SQL Server is actually sweet. It is done via DDL, for example their code snipet for controlling login is a very simple:

 

Code Snippet
  1. CREATE TRIGGER Login_Permission
  2. ON ALL SERVER
  3. FOR LOGON
  4. AS
  5. BEGIN
  6. IF Aditybus.dbo.HasPermission(EVENTDATA()) !=1
  7.     BEGIN
  8.     ROLLBACK
  9.     RETURN
  10.     END
  11. END

 

This allows the addition of Aditibus™ “Odin’s Oak” product to existing SQL Systems without needing to modify the existing code base. Unfortunately this will not work on SQL Azure per the documentation. Their HasPermission function is a SQLCLR function which fortunately has alternatives available – but at a cost of lower performance.

 

So I am hoping that SQL Azure will evolve to integrate better (or that Aditibus will find elegant solutions). As a FYI to newbies, the list of DDL events supported in SQL Server may be found here.

Comments

Post a Comment

Popular posts from this blog

Simple WP7 Mango App for Background Tasks, Toast, and Tiles: Code Explanation

By -
Image
This is a continuation of this post , explaining how the sample app works. Caution : This sample isn’t meant as an example of best patterns and practices. If you see something in the code you would never do, then don’t. Solution File Organization The app has three Visual Studio Projects: the app, the agent, and the shared code library between them. One of the great things about Mango is that now the built-in Visual Studio Unit test functionality is available. By separating out the meat of the work into the SampleShared project, I can also focus my unit testing there. SampleApp1 The app has a MainPage, a ViewModel, and the WMAppManifest.xml file modified to note my ExtendedTask of BackgroundServiceAgent. The Agent is extremely simple with a call to the shared library, an update to the Tile, and a call to pop up Toast. The meat of the work is in the SampleShared library. The AgentMgr manages the background agent : add, remove, find, run now. It is only called f...
Read more

Error : /ScriptResource.axd : Invalid viewstate.

By -
This issue is caused when the ScriptResource.axd querystring parameters can not be decoded on the server. This error can be caused from multiple issues with server configuration or the Browser's interaction with the server. The ScriptResource.axd contains all of the clientside javascript routines for Ajax. Just because you include a scriptmanager that loads a script file it will never appear as a ScriptResource.AXD - instead it will be merely passed as the .js file you send if you reference a external script file. In other words it is what the Microsoft Ajax libraries inject into your HTML to allow them to access their javascript functions they need for page manipulation. ASP.NET will use the machine key to encrypt the ScriptResource.axd (and webresource.axd) url's parameters(in querystring), and by default the machinekey is a randomly generated one which may involve the current time. By default there is a different machinekey on every machine, and it changes when the applic...
Read more

Running Multiple Threads on Windows Azure

By -
The default worker role created by Visual Studio 2010 generates code that only leverages a single thread in your compute instance. Using that generated code, if you make synchronous network requests to SQL Azure or to a web service (for example via REST), your dedicated core for the instance becomes underutilized while it waits for the response from the network. One technique is to use the asynchronous functions in ADO.NET and the HTTPWebRequest classes to offload the work to the background worker. For more information about asynchronous calls read: Asynchronous Programming Design Patterns . Another technique that I will cover in this blog post is how to start up multiple threads, each for a dedicated task, for this purpose I have coded a multi-threaded framework to use in your worker role.   Goals of the framework: Remain true to the design of the RoleEntryPoint class, the main class called by the Windows Azure instance, so that you don’t have to redesign your code. ...
Read more