I’ve been thinking about the dashCommerce security model – or lack thereof. 
Sure there is standard security, but what I want to be able to do is identify certain course grained operations and apply an authorization rule to it. That rule can then be configured and assigned to a role during application configuration and then modified at runtime as well.
For instance, maybe I have a “Create Product” authorization rule. That rule may only be configured for the Administrator role by default. But suppose there is a situation where I would like my vendors to be able to add product’s as well. I can see all sorts of situations where I would like to add additional rules to the application and assign these authorizations to them at runtime.
Also, considering the application is highly extensible, there are situations where I may drop in a new assembly and I would want any of the course grained authorization operations to automagically appear in my admin UI as authorizations to assign.
Sounds like something someone out there should have solved by now, but the only thing I see that is close to it is the Security Application Block in the Enterprise Library and that requires a code check. I’d rather see something like an attribute or something similar since dropping in an assembly, we’ll have to interrogate it dynamically for it’s operations and their respective authorization demands.
Is there anything out there that does this? Any guidance from anybody on do’s, don’ts and avoids?
While writing this, I was listening to "Panther" by Ultramarine
