You can add multiple conditions to IQueryable dynamically. So you can do something like:

[PrincipalPermission(SecurityAction.Demand, Role="DepartmentManager")]
public IEnumerable<Employee> GetManagedEmployees()
  // build base query
  var query = from e in context.Employees
              select e;

  // add condition
  query = AddDepartmentPermissions(query);
  return query.AsEnumerable();

And your AddDepartmentPermissions will look like:

private IQueryable<Employee> AddDepartmentPermission(IQueryable<Employee> query)
  int departmentId = GetAllowedDepartmentSomewhere();
  return query.Where(e => e.Department.Id == departmentId);

This is just an example where PrincipalPermission don't allow calling GetManagedEmployees for non manager roles and AddDepartmentPermission adds query part for selection employees only from allowed department.

The main point is that you can wrap IQueryable<T> to methods which will modify query. I believe it should be even possible to add Interception (aspects) directly to properties exposing ObjectSet and dynamically add query parts dealing with security.

Related Articles