Sometimes, administrative role-based security it not granular enough for the task at hand. Consider a situation in which your application maintains a private resource (such as a database) that does not expose any public interfaces directly to the clients. You still want to allow only some callers of a method to access the resource and deny access to other callers who are not members of a specific role. The second (and more common) situation is when a method is invoked on your object and you want to know whether the caller is a member of a particular role so you can better handle the call.

To illustrate the second situation, suppose in the bank example, one of the requirements is that a customer can transfer money only if the sum involved is less than $5,000, whereas managers and tellers can transfer any amount. Declarative role-based security goes down only to the method level (not the parameter level) and can only assure you that the caller is a member of at least one of the roles you have granted access to.

To implement the requirement, you must find out the caller’s role programmatically. Fortunately, COM+ makes it easy to do just that. Remember that every method call is represented by a COM+ call object (discussed in Chapter 2). The call object implements an interface called ISecurityCallContext , obtained by calling CoGetCallContext( ) . ISecurityCallContext provides a method called IsCallerInRole( ), which lets you verify the caller’s role ...