After about a month and a half, I finally feel that I have had enough time with the Constable Authorization Engine (CAZE, hereafter) that I understand it enough to write about it. This is a big product. I'm actually a little intimidated by it (it's that big). It almost feels like one the Enterprise Library components (it's that big and appears to be that deep)
CAZE is all about application security policy (the rules for security). Dan Appleman describes windows security policy this way (and it applies here): all security policy decisions come down to this one question, "Can this account/role do this action with this object." CAZE does a good job of letting you apply this to your apps. It has a very sophisticated system for defining roles (and attaching the roles to Windows users/roles if you want), defining the secured objects, defining the actions that can take place on an object, and finally defining which actions each role can do on (this last piece are the rules of security policy). Overall, it gets a thumbs up.
I have been really impressed with their documentation. Their install also was really friendly and (if mmory serves me right) gave me the option to not install certain samples (this is a security feature in my mind). In general this product will help you get up and running, and you should be able to get up and running a lot faster than me (starting to examine a product for review when you are 1 week from when your wife is about to give birth is probably not the best timing). thumbs up.
Breadth of product
Like I said this product is big. You can programmatically create the complete policy as well as use an XML file (as an embedded resource) to define policy. You can associate roles with actual Windows roles or create you own. It will automatically grab the Windows principal (current user), but you can override this. Basically, you have a lot of flexibility, and the policy you can define/enforce can be very simplistic or very sophisticated. Palo has been using this library in his own consulting business, so it's well tested.
In my day job, I have a fairly sophisticated security system (rules involve users, areas of the app, objects, and actions), and I could implement my system with this package (and ultimately it would make my life easier). Thumbs up (I haven't seen anything else like this).
Thumbs up. Not much else to say. If you need something like this, it's a very nice package. I have yet to see anything like it. It's definitely an Enterprise level product. I'm not 100% clear on the licensing, but it appears that a single developer install will set you back $295 (usd) [it'll cost you less if you have even more developers]... I'm not sure whether you can distribute royalty free (I'm sure Palo will comment on this post and correct me).
You can buy it here at the official store.