Event banner
Event details
A dream... it will be so powerful to express authZ with relational logic. For example not in a group, in groupA and groupB.
Steve Zhang
Microsoft
MicrosoftHi Jean,
Thank you for bringing this request to us. From my understanding, relational logic is sometime very risky if the expression is not well defined. Would you please help telling about why you need such feature and how you expect it can work in which scenario? It would be good to learn more about detail and evaluate carefully.
Thanks
Steve
- Hi Steve, You are right and also pretty complex to implement. When dealing with user object, it could be handled with a new group resulting from the math of the expression. And i just can not imagine how it could be done with claim object which is considered a group object and dynamically assigned by the claim provider. example 1 : a real request i had today - all members of a site can access a library but not rookies. Rookies are allowed after 6 months. Ok this can simply be done with pnpPoSh calculating the result group. But I be as simple as a rookie group and authZ expression : members goup and not rookie group. example 2 : all members above 18 can access a web could be express as members group and over18 claim. Well this looks like sub groups, but the is no subGroup in SP. It is so challenging to implement that makes it a dream. I hope that I sparked some interest as I think this will make authZ in SharePoint readable, comprehensive and auditable. You are welcome for any question or more examples Regards, Jean Marie
- Wouldn't this be possible through the combination of AAD Conditional Access Policies and the (in preview) Custom Security Attributes?
