Friday, 26 July 2013

BizTalk BAM View How to attach related documents and restrict viewing to a select AD Group only.

This blog entry is all about BAM and in particularly how to attach related documents. But also as part of this blog entry I talk about BAM security in particularly how to restrict normal business users from viewing the related documents. Yet through IIS Authorisation we can allow a subset of users to view the related documents with the associated BAM activity.

Well attaching messages to a BAM activity is quite easy.

Here is the code.

First you will need to do
// Add document reference
bamDocument = msgRequest.Body;
bamDocumentName = "Inbound Request";
bamDocumentLink = System.String.Format(
Microsoft.BizTalk.Bam.EventObservation.OrchestrationEventStream.AddReference(bamActivityName, bamActivityID, bamDocumentName, "Message Body",  System.DateTime.UtcNow.ToString(), bamDocument.DocumentElement.OuterXml);
Microsoft.BizTalk.Bam.EventObservation.OrchestrationEventStream.AddReference(bamActivityName, bamActivityID, "DocumentUrl", bamDocumentName,  bamDocumentLink, "");

Enabling HTTP GET on the Portal (BamManagementService.asmx web.config)

            <add name="HttpGet"/>
Now lets talk about security. As you probably already know all BAM Users can view the related documents via the BAM web portal. We now want to restrict these users from viewing the message as it may contain sensitive content. Hence we only want to allow a subset of privileged users the authorization to view these messages.

An effective easy solution is to use the ASP.NET authorisation components in web.config. As the “view message” action is the only action to issue GET verbs to the BAMManagementService.asmx as described above we can create an additional authorisation rule to only allow a subset (AD Group) to view these related documents/messages.

Lets review the web.config

      <allow roles="Everyone" verbs="POST" />
      <allow roles="MICROANGELO\BAM MESSAGE VIEWERS" verbs="GET" />
      <deny users="*" />

What I have done above is allow an ad-group MICROANGELO\BAM MESSAGE VIEWERS access to the message to view. All other users will not be allow to view the message.

There it is enjoy.