How to: Check Permissions with the Provision API

This topic illustrates the many types of permission checks possible in the Forefront Identity Manager Certificate Management (FIM CM) Provision API.

Sample: CheckAccessForUser

The CheckAccessForUser function, implemented in the following sample, accepts the GUID of a target user as a string, and check’s the caller’s permissions to initiate various FIM CM requests for that target user. The function verifies the user's permissions for initiating, enrollment, recovery, retirement and unblock operations.

AccessCheckOnRequest, also implemented in the following sample, approaches permissions from a different angle. Given the GUID of a request object, AccessCheckOnRequest checks to see whether or not the caller (i.e. the user that is executing this code) could perform various functions (approving, cancelling, denying, and many others) on the supplied request.

Caution:
When using this code, remember to keep in mind the guidelines on whether or not you need to use .NET Remoting. See .NET Framework Remoting in the Provision API for more information.

C#	Copy Code
using System; using System.Text; using System.Collections; using System.Collections.Generic; using System.Collections.Specialized; using System.Collections.ObjectModel; using System.IO; using System.Runtime.Remoting; using System.Runtime.Remoting.Channels; using System.Net; using Microsoft.Clm.Shared; using Microsoft.Clm.Shared.Certificates; using Microsoft.Clm.Shared.ProfileTemplates; using Microsoft.Clm.Shared.Requests; using Microsoft.Clm.Shared.Smartcards; using Microsoft.Clm.Provision; namespace Contoso.Clm.Test { class PermissionCheckTest { public void CheckAccessForUser(string sUuid) { if (!string.IsNullOrEmpty(sUuid)) { Console.WriteLine("Checking for UUID: {0}”, sUuid); Guid userUuid = new Guid(sUuid); bool hasRequestEnroll = PermissionOperations.AccessCheck(userUuid, UserPermission.ClmRequestEnroll); bool hasRequestRecover = PermissionOperations.AccessCheck(userUuid, UserPermission.ClmRequestRecover); bool hasRequestRetire = PermissionOperations.AccessCheck(userUuid, UserPermission.ClmRequestRetire); bool hasRequestUnblock = PermissionOperations.AccessCheck(userUuid, UserPermission.ClmRequestUnblock); Console.WriteLine("{0}Request Enroll? {1}", secondLinePrefix, hasRequestEnroll); Console.WriteLine("{0}Request Recover? {1}", secondLinePrefix, hasRequestRecover); Console.WriteLine("{0}Request Retire? {1}", secondLinePrefix, hasRequestRetire); Console.WriteLine("{0}Request Unblock? {1}", secondLinePrefix, hasRequestUnblock); } } public void AccessCheckOnRequest(string sUuid) { string secondLinePrefix = ">"; Console.Write("Access Check for request UUID: {0}", sUuid); if (!string.IsNullOrEmpty(sUuid)) { Guid requestUuid = new Guid(sUuid); Request request = FindOperations.GetRequest(requestUuid); bool hasAbandon = PermissionOperations.AccessCheck(request, RequestPermission.Abandon); bool hasApprove = PermissionOperations.AccessCheck(request, RequestPermission.Approve); bool hasCancel = PermissionOperations.AccessCheck(request, RequestPermission.Cancel); bool hasChangePriority = PermissionOperations.AccessCheck(request, RequestPermission.ChangePriority); bool hasDeny = PermissionOperations.AccessCheck(request, RequestPermission.Deny); bool hasDistributeSecrets = PermissionOperations.AccessCheck(request, RequestPermission.DistributeSecrets); bool hasExecute = PermissionOperations.AccessCheck(request, RequestPermission.Execute); bool hasPrintDocuments = PermissionOperations.AccessCheck(request, RequestPermission.PrintDocuments); bool hasRead = PermissionOperations.AccessCheck(request, RequestPermission.Read); bool hasWrite = PermissionOperations.AccessCheck(request, RequestPermission.Write); Console.WriteLine("{0}Abandon? {1}", secondLinePrefix, hasAbandon); Console.WriteLine("{0}Approve? {1}", secondLinePrefix, hasApprove); Console.WriteLine("{0}Cancel? {1}", secondLinePrefix, hasCancel); Console.WriteLine("{0}Change Priority? {1}", secondLinePrefix, hasChangePriority); Console.WriteLine("{0}Deny? {1}", secondLinePrefix, hasDeny); Console.WriteLine("{0}Distribute Secrets? {1}", secondLinePrefix, hasDistributeSecrets); Console.WriteLine("{0}Execute? {1}", secondLinePrefix, hasExecute); Console.WriteLine("{0}Print Docs? {1}", secondLinePrefix, hasPrintDocuments); Console.WriteLine("{0}Read? {1}", secondLinePrefix, hasRead); Console.WriteLine("{0}Write? {1}", secondLinePrefix, hasWrite); } } } }

Copy Code

using System;
using System.Text;
using System.Collections;
using System.Collections.Generic;
using System.Collections.Specialized;
using System.Collections.ObjectModel;
using System.IO;
using System.Runtime.Remoting;
using System.Runtime.Remoting.Channels;
using System.Net;

using Microsoft.Clm.Shared;
using Microsoft.Clm.Shared.Certificates;
using Microsoft.Clm.Shared.ProfileTemplates;
using Microsoft.Clm.Shared.Requests;
using Microsoft.Clm.Shared.Smartcards;
using Microsoft.Clm.Provision;

namespace Contoso.Clm.Test
{
	class PermissionCheckTest
	{
		public void CheckAccessForUser(string sUuid)
		{
			if (!string.IsNullOrEmpty(sUuid))
			{
				Console.WriteLine("Checking for UUID: {0}”, sUuid);
				Guid userUuid = new Guid(sUuid);
				bool hasRequestEnroll = PermissionOperations.AccessCheck(userUuid, UserPermission.ClmRequestEnroll);
				bool hasRequestRecover = PermissionOperations.AccessCheck(userUuid, UserPermission.ClmRequestRecover);
				bool hasRequestRetire = PermissionOperations.AccessCheck(userUuid, UserPermission.ClmRequestRetire);
				bool hasRequestUnblock = PermissionOperations.AccessCheck(userUuid, UserPermission.ClmRequestUnblock);

				Console.WriteLine("{0}Request Enroll? {1}", secondLinePrefix, hasRequestEnroll);
				Console.WriteLine("{0}Request Recover? {1}", secondLinePrefix, hasRequestRecover);
				Console.WriteLine("{0}Request Retire? {1}", secondLinePrefix, hasRequestRetire);
				Console.WriteLine("{0}Request Unblock? {1}", secondLinePrefix, hasRequestUnblock);
		}
	}

		public void AccessCheckOnRequest(string sUuid)
		{
			string secondLinePrefix = ">";
			Console.Write("Access Check for request UUID: {0}", sUuid);
		
			if (!string.IsNullOrEmpty(sUuid))
			{
				Guid requestUuid = new Guid(sUuid);
				Request request = FindOperations.GetRequest(requestUuid);
				bool hasAbandon = PermissionOperations.AccessCheck(request, RequestPermission.Abandon);
				bool hasApprove = PermissionOperations.AccessCheck(request, RequestPermission.Approve);
				bool hasCancel = PermissionOperations.AccessCheck(request, RequestPermission.Cancel);
				bool hasChangePriority = PermissionOperations.AccessCheck(request, RequestPermission.ChangePriority);
				bool hasDeny = PermissionOperations.AccessCheck(request, RequestPermission.Deny);
				bool hasDistributeSecrets = PermissionOperations.AccessCheck(request, RequestPermission.DistributeSecrets);
				bool hasExecute = PermissionOperations.AccessCheck(request, RequestPermission.Execute);
				bool hasPrintDocuments = PermissionOperations.AccessCheck(request, RequestPermission.PrintDocuments);
				bool hasRead = PermissionOperations.AccessCheck(request, RequestPermission.Read);
				bool hasWrite = PermissionOperations.AccessCheck(request, RequestPermission.Write);

				Console.WriteLine("{0}Abandon? {1}", secondLinePrefix, hasAbandon);
				Console.WriteLine("{0}Approve? {1}", secondLinePrefix, hasApprove);
				Console.WriteLine("{0}Cancel? {1}", secondLinePrefix, hasCancel);
				Console.WriteLine("{0}Change Priority? {1}", secondLinePrefix, hasChangePriority);
				Console.WriteLine("{0}Deny? {1}", secondLinePrefix, hasDeny);
				Console.WriteLine("{0}Distribute Secrets? {1}", secondLinePrefix, hasDistributeSecrets);
				Console.WriteLine("{0}Execute? {1}", secondLinePrefix, hasExecute);
				Console.WriteLine("{0}Print Docs? {1}", secondLinePrefix, hasPrintDocuments);
				Console.WriteLine("{0}Read? {1}", secondLinePrefix, hasRead);
				Console.WriteLine("{0}Write? {1}", secondLinePrefix, hasWrite);
		}
	}
}
}

Sample: CheckAccessForUser

See Also

Concepts