This blog entry is all about BAM and in particularly how to
attach related documents. But also as part of this blog entry I talk about BAM
security in particularly how to restrict normal business users from viewing the
related documents. Yet through IIS Authorisation we can allow a subset of users
to view the related documents with the associated BAM activity.
Well attaching messages to a BAM activity is quite easy.
Here is the code.
First you will need to do
// Add document reference
bamDocument = msgRequest.Body;
bamDocumentName = "Inbound
Request";
bamDocumentLink = System.String.Format(
"/BAM/BAMManagementService/BamManagementService.asmx/GetReferences?viewName={0}&activityName={1}&activityInstanceId={2}&referenceType={3}",
bamViewName,
bamActivityName,
bamActivityID,
bamDocumentName);
Microsoft.BizTalk.Bam.EventObservation.OrchestrationEventStream.AddReference(bamActivityName,
bamActivityID, bamDocumentName, "Message Body",
System.DateTime.UtcNow.ToString(), bamDocument.DocumentElement.OuterXml);
Microsoft.BizTalk.Bam.EventObservation.OrchestrationEventStream.AddReference(bamActivityName,
bamActivityID, "DocumentUrl", bamDocumentName, bamDocumentLink,
"");
Enabling HTTP GET on the Portal (BamManagementService.asmx web.config)
<webServices>
<protocols>
<add name="HttpGet"/>
</protocols>
</webServices>
Now lets talk about security. As you probably already know
all BAM Users can view the related documents via the BAM web portal. We now
want to restrict these users from viewing the message as it may contain
sensitive content. Hence we only want to allow a subset of privileged users the
authorization to view these messages.
An effective easy solution is to use the ASP.NET authorisation components in web.config. As the “view message” action is the only action to issue GET verbs to the BAMManagementService.asmx as described above we can create an additional authorisation rule to only allow a subset (AD Group) to view these related documents/messages.
Lets review the web.config
<configuration>
<system.web>
<authorization>
<allow roles="Everyone" verbs="POST" />
<allow roles="MICROANGELO\BAM MESSAGE VIEWERS" verbs="GET" />
<deny users="*" />
</authorization>
</system.web>
</configuration>
What I have done above is allow an ad-group MICROANGELO\BAM MESSAGE VIEWERS access to the message to view. All other users will not be allow to view the message.
There it is enjoy.