Active Directory vs SqlServer which way to go?

[Patrick.O.Ige]

If i want to generate a menu structure depending on who is logged in
in an intranet system(using windows authentication) is it better to use the
GROUPS in Active Directory
or to move the Active Directory groups into a Sql Server database and base
the authrorization and authentication on the SQL Server roles/groups?
Whats the best way to make use of the GROUPS in active directory to
authorize
users apart from using web.config where you have to set it configuratively
like below(but i don't want this)
<authorization>
<allow roles="DOMAIN\HRUsers" />
<deny users="*" />
</authorization>
This works if i want to deny users who are not part of the GROUP
"HRUSERS"(Which just denies the URL .aspx page)
Is it possible to store/collect all the Active Directory groups and use it
in code to validate against USERS?
(Apart from storing it in SQL server?)

or
programmatically by doing :-
If Not (User.IsInRole("HR")) And Not (User.IsInRole("Managers")) Then
' Display the Button
Else
' Don't display it!
End If
The badside to these methods is that if you are calling a method several
times from different applications, you will need to repeat the logic all
the time. How can i do it declaratively using Active Directory.
I know if i use a database with stored procedures that would be a benefit.
Any thoughts?

 

[Jan Peter Stotz]

If Not (User.IsInRole("HR")) And Not (User.IsInRole("Managers")) Then
' Display the Button
Else
' Don't display it!
End If

The badside to these methods is that if you are calling a method several
times from different applications, you will need to repeat the logic all
the time. How can i do it declaratively using Active Directory.
I know if i use a database with stored procedures that would be a benefit.
Any thoughts?

You can create a custom control button that only shows up if the user is in
a role specified by a new property of the control. I created a
button-control and a panel-control wich work this way. This makes it very
easy to hide and show role-specific parts of a page.

Jan

 

[Patrick.O.Ige]

Thx Jan for the reply.
But where was your Roles coming from?
Is it from AD?

 

[Jan Peter Stotz]

Thx Jan for the reply.
But where was your Roles coming from?
Is it from AD?

My own Principal implementation. I am using .NET 1.1 with form based
authentication. I do not use a plain role-based access model.
My model uses a hierarchy based on the group memberships in the AD (i use
the property "tokenGroups" for getting all memberships including this which
are set as primary group):

Jan

 

[Patrick Allmond]

Pardon me for poking in on this conversation, but do you have any examples of
this for the relatively inexperienced? I have the same issue as the original
poster, but I don't have his experience.

Thanks,
Patrick

 

[Joe Kaplan \(MVP - ADSI\)]

If the data is already in AD, what benefit could you get from trying to copy
it into SQL server? That just sounds like a sync nightmare.

It seems relatively straightforward to show and hide menu items based on
calls to IsInRole and just use Windows authentication.

I would probably add some sort of mapping layer so you have some indirection
between the actual groups used to give you some configurability at runtime.
AzMan is a good framework for this, but you can put something lighter weight
together if you don't want to deal with it.

Joe K.

 

[Jan Peter Stotz]

Pardon me for poking in on this conversation, but do you have any examples of
this for the relatively inexperienced? I have the same issue as the original
poster, but I don't have his experience.

I didn't had the experience, when I started to create my asp.net
application. Usually I am "learning-by-doing"...

I found a lot of articles on msdn and the web that helped me to understand
how authentication in ASP.net works.
For more information search google for (or parts of it):
asp .net forms authentication active directory

One of the first links I get is this:
"Building Secure ASP.NET Applications: Authentication, Authorization, and
Secure Communication"
http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT02.asp

It doesn't explain much, but it is a simple how-to and may help you with
your start.

Jan

 

[Patrick Allmond]

Sorry I did not clarify. Specifically I meant how did you get the custom
control property to work - the one that checks the role before it decides to
display or not?

patrick

 

[Jan Peter Stotz]

Sorry I did not clarify. Specifically I meant how did you get the custom
control property to work - the one that checks the role before it decides to
display or not?

Ok, I am not an expert in custom controls, so I post my code (vb.net)
allowing everybody to review it.
I hope the posted code compiles. I had to made some changes with a
texteditor to simplify it and no vb.net compiler at hand for checking, if
it works. My original code uses a separate class called "Authentificator"
that implements my special "isinRole-Check". The posted version can only
check one role, but it is easy to extend it to accept a somehow separated
list (e.g. semicolon) of roles that will be checked.

Namespace MyWebControls
Public Class SecurityButton : Inherits Button

Private _RequiredRole as String

Public Property RequiredRole As String
Get
return _RequiredRole
End Get
Set
_RequiredRole = Value
End Set
End Property

Protected Overrides Sub Render(Output As HtmlTextWriter)
Dim p As Principal = HttpContext.Current.User
If p.isInRole(_RequiredRole) Then
MyBase.Render(Output)
End If
End Sub

Protected Overrides Sub OnCommand(ByVal e As CommandEventArgs)
Dim p As Principal = HttpContext.Current.User
If p.isInRole(_RequiredRole) Then
MyBase.OnCommand(e)
End If
End Sub
End Class
End Namespace

test.aspx:

<%@ Page Language="VB" %>
<%@ Register TagPrefix="asps" Namespace="MyWebControls"
Assembly="MyWebControls" %>
[..]
<asps:SecurityButton RequiredRole="DOMAIN\Groupname" id="mySecurityButton"
runat="server">

Jan

 

[Patrick.O.Ige]

Thx Joe for the response.
Joe i know its like re inventing the wheel.
But it has been a debate with some other developers and i have been trying
to explain this.
They just feel hardcoding the group using IsinRole to perform Authorisation
is not good enough but the funniest thing
is that even if you use SQL server you would have to right stored procedures
and at the same time mainatain the sync with AD Groups.
Actually i have come across AzMan and i will get more into it.
Thx guys..
If there is more resources out there please do forward them.
And thanks Jan for the snippet info but it would be nice if you could blog
that
or post more tutorials to help give others

 

[Joe Kaplan \(MVP - ADSI\)]

Why not just create a simple mapping between groups and application-specific
roles and store it in SQL or web.config or whatever? Then you don't
hard-code the groups in your checks, but allow Windows to do the heavy
lifting for you of figuring out your group membership at runtime?

That is essentially what AzMan is about, although it is significantly more
capable and includes several additional levels of indirection to support
more granularity in your authorization (which can lead to better
maintainability if you choose your operations carefully).

Joe K.

 

[Patrick.O.Ige]

Joe when you say mapping how would i go by mapping
the groups.And how would it be stored in Web.Config?
Patrick

 

[Joe Kaplan \(MVP - ADSI\)]

However you want!

The most basic idea might be to have a bunch of appSettings that do
something like:

<add key="role1" value="domain\group1"/>

Then, in your code, translate from "role1" into the actual group name at
runtime.

You can do many fancier things than that such as creating your own
IPrincipal object that does this mapping for you so that it responds
true/false to "role1" instead of "domain\group1". You can create your own
custom configuration to store it. You can store the mapping in SQL.
Whatever you want to do...

Joe K.

 

[Patrick.O.Ige]

Thx Joe for the reply.
I was just wondering that if i use Active Directory and make use of the
Roles
in my Application if a user belongs to more than one GROUP in the AD
and i need to assign some permissions to perform a particular task.
Lets say a page where a Admin user can Edit/ update a field and other users
can't
So for example if i use SQL server tables i can have Roleid's and assign it
to users
for example 1-Edit,2-Update etc..i can do it to a user level...
Is there a way to perform such task with the AD?
I mean to the user level?

 

[Joe Kaplan \(MVP - ADSI\)]

I think what I was suggesting was that you do a mapping between your
application specific roles (1-Edit, 2-Update, or whatever you want to call
them) and the security principals in AD, whether they are users or groups.

A role could contain one more more security principals, so you would have a
lot of flexibility. You could create new groups in AD or use existing ones
if the ones you needed already existed.

Your app would make all of its security decisions based on the
application-specific roles and you would write some code that could
translate between your application roles and actual security principals at
runtime based on the mapping you established and the actual security
principals associated with a user at runtime (the user's name and her group
memberships).

AzMan does something very similar to this, so you might want to consider
looking at it and reading some articles on it.

Joe K.

 

[Patrick.O.Ige]

Thx Joe

I think what I was suggesting was that you do a mapping between your
application specific roles (1-Edit, 2-Update, or whatever you want to call
them) and the security principals in AD, whether they are users or groups.

A role could contain one more more security principals, so you would have a
lot of flexibility. You could create new groups in AD or use existing ones
if the ones you needed already existed.

Your app would make all of its security decisions based on the
application-specific roles and you would write some code that could
translate between your application roles and actual security principals at
runtime based on the mapping you established and the actual security
principals associated with a user at runtime (the user's name and her group
memberships).

AzMan does something very similar to this, so you might want to consider
looking at it and reading some articles on it.

Joe K.