I have been attempting to consider how Row Level Security might be implemented using the Entity Framework. The concept is to possess a database agnostic implies that would offer techniques to limit the rows from the ObjectContext.

A number of my inital ideas have involved modifying the partial classes produced through the EDMGEN tool which has offered some limited support. Customers continue to be capable of getting for this solution using own eSQL claims along with a QueryObject.

I have been searching for an extensive solution that will exist over the database companies to ensure that it might remain agnostic.

Sure it can be done. The key factor to complete would be to block direct accessibility object context (stopping customers from building their very own ObjectQuery), and rather provide the client a narrower gateway within which to gain access to and mutate organizations. We all do it using the Entity Repository pattern. You'll find an example implementation of this pattern for the entity framework in this blog post. Again, the bottom line is obstructing accessibility object context. Observe that the item context class is partial. Which means you should have the ability to prevent "unauthorized" way of instantiating it, namely, outdoors of the repository set up.

However, you will find subtleties to think about. Should you implement row-level view security on the certain entity type through the repository pattern, then you definitely must consider other strategies by that your client could access exactly the same organizations. For instance, via navigational associations. You may want to have of individuals associations private, which you'll do inside your model. You might also need a choice of specifying a custom query or saved technique of loading/saving organizations. Saved methods are usually DB server specific, but SQL could be designed in a normal manner.

As I differ this can't be completed with the Entity Framework, I actually do accept the "get it done around the DB server" comments insofar while you should implement defense in depth.

Where you add security really is dependent on who you are attempting to secure against.

If, for instance, you had been acquiring an internet site, then adding the blocking in the context level could be sufficient, since the "customers" within this situation are on the internet site. They've no choice but to undergo your context, because you would write the applying entirely from the context.

Inside your situation, it may sound such as the "customers" you are attempting to secure against are designers. That's a great deal harder. When the designers don't get access to make changes towards the database itself, then you will need to place the security in the database level. No quantity of eSQL access will have the ability to circumvent the database saying "no".

What you are attempting to achieve is, obviously, difficult.

When the security isn't handled clearly through the underlying database application (SQL Server, Oracle, whatever) then your standard tools like SQL Management Studio will blow right past it.

The very best you should do is enforce row level security by customers from the application Only when individuals customers do not need the database via another mechanism.