Authorization Plugins are the code based solution to restricting access to data through services. If there isn't a metadata construct to handle the restriction you need, you can always write an Authorization Plugin and wire it to your Controller Configuration. This will typically be necessary for securing operations through the generic end points at a record level.
Remember, if the controller configuration already has an authorization plugin, you must extend its plugin for your implementation and ensure you are allowing the base class to reject the request. If you do not do this, you will effectively be turning off stock security checks.
The base class for all authorization plugins is AuthorizationPluginBase. You should override the IsAuthorized method to return true or false if the request should be allowed or denied.
When starting development it is often useful to know why a request was allowed or denied. In your authorization plugin you can use the following code to give this information to the caller:
AuthorizationDebugInformationFactory.Instance.DebugInformation["AptifyAuthorizationResults"] = "This
service application does not have read access to Persons";
This header is erased from the service request if Aptify.Services.General.EnableErrorMessages is set to false in web.config.
There is a good chance your authorization plugin will need to do some heavy work in order to answer the authorization question. For example, when determining if access should be granted to a GE operation you may need to fetch the GE in question. If the request passes, the controller will execute and it will also need to fetch the GE. There is no need to fetch the GE twice in this scenario. You can use the MiscProperties bucket on the ServiceRequestContext to communicate information between the authorization plugin and the controller. Several stock end points already look in this MiscProperties bucket for information of this nature. For example:
|GetRecordGE||GetRecordGE||The value is the GE being requested.|
|EntityBatchAuthorization||GERecord_<enttiyName>_<recordId>||There will be a key in MiscProperties for each entity that is part of the batch request.|
|LinkBoxAuthorization||AdditionalSQLFilter||An additional piece of SQL that will be appended to the where clause of an entity search request. This can be used to filter results out for an entity based on the results of a SQL function.|
|LinkBoxAuthorization||StoredProcedureParameters||When configuring the Search Configurations entity for global search, you may need the Search Stored Procedure to accept additional parameters. You can place these parameters into this property and they will be used when performing a search.|