Comments on: SOA and Authorization: What’s so hard about it anyway?

By: Beyond Role-Based Access Control | Summa Blog

Beyond Role-Based Access Control | Summa Blog — Wed, 03 Nov 2010 18:22:33 +0000

[...] Row-level Filters Some authorization rules transcend binary permit/deny decisions; they instead state that results of a request be filtered to only those rows a user is authorized to view. For example, perhaps a doctor querying a patient database should only be shown those patients for whom he’s had contact, and hide the others. Or “users from San Francisco can only view customers from San Francisco”. I touched on this distinction between access control and filtering a bit more in a previous post. [...]

By: Nate Miller

Nate Miller — Fri, 11 Jun 2010 22:54:42 +0000

Wow - great post. Your questions echo a lot of the same challenges I’ve been struggling with conceptually in SOA. Where the hell does user authorization code live in an SOA system? The allure of using an ESB entity to play traffic cop in service-to-service requests is powerful, but this of course leads to terrible problems in its own right. Glad to see I’m not the only one struggling with these questions.

By: Ben Northrop

Ben Northrop — Mon, 10 May 2010 12:24:51 +0000

Thanks guys! Part 2 and 3 are in the works now.

By: Erik

Erik — Sun, 09 May 2010 07:47:08 +0000

Very informative and interesting!

Any plans for a follow up on this?

By: Srinivasan.P

Srinivasan.P — Sun, 28 Mar 2010 08:19:33 +0000

Excellent post. Waiting in hope you’ll post the Part2 soon…

By: Nitesh Garg

Nitesh Garg — Sat, 20 Mar 2010 11:36:54 +0000

Hey Ben!

This is an excellent post. Hope you find time soon for the follow up post!