Active Directory vs SqlServer which way to go?

Discussion in 'ASP .Net Security' started by Patrick.O.Ige, Nov 4, 2005.

  1. If i want to generate a menu structure depending on who is logged in
    in an intranet system(using windows authentication) is it better to use the
    GROUPS in Active Directory
    or to move the Active Directory groups into a Sql Server database and base
    the authrorization and authentication on the SQL Server roles/groups?
    Whats the best way to make use of the GROUPS in active directory to
    authorize
    users apart from using web.config where you have to set it configuratively
    like below(but i don't want this)
    <authorization>
    <allow roles="DOMAIN\HRUsers" />
    <deny users="*" />
    </authorization>
    This works if i want to deny users who are not part of the GROUP
    "HRUSERS"(Which just denies the URL .aspx page)
    Is it possible to store/collect all the Active Directory groups and use it
    in code to validate against USERS?
    (Apart from storing it in SQL server?)

    or
    programmatically by doing :-
    If Not (User.IsInRole("HR")) And Not (User.IsInRole("Managers")) Then
    ' Display the Button
    Else
    ' Don't display it!
    End If
    The badside to these methods is that if you are calling a method several
    times from different applications, you will need to repeat the logic all
    the time. How can i do it declaratively using Active Directory.
    I know if i use a database with stored procedures that would be a benefit.
    Any thoughts?
     
    Patrick.O.Ige, Nov 4, 2005
    #1
    1. Advertising

  2. Patrick.O.Ige schrieb:

    > If Not (User.IsInRole("HR")) And Not (User.IsInRole("Managers")) Then
    > ' Display the Button
    > Else
    > ' Don't display it!
    > End If


    > The badside to these methods is that if you are calling a method several
    > times from different applications, you will need to repeat the logic all
    > the time. How can i do it declaratively using Active Directory.
    > I know if i use a database with stored procedures that would be a benefit.
    > Any thoughts?


    You can create a custom control button that only shows up if the user is in
    a role specified by a new property of the control. I created a
    button-control and a panel-control wich work this way. This makes it very
    easy to hide and show role-specific parts of a page.

    Jan
     
    Jan Peter Stotz, Nov 4, 2005
    #2
    1. Advertising

  3. Thx Jan for the reply.
    But where was your Roles coming from?
    Is it from AD?


    "Jan Peter Stotz" <> wrote in message
    news:1xufis06jdvv0$...
    > Patrick.O.Ige schrieb:
    >
    > > If Not (User.IsInRole("HR")) And Not (User.IsInRole("Managers")) Then
    > > ' Display the Button
    > > Else
    > > ' Don't display it!
    > > End If

    >
    > > The badside to these methods is that if you are calling a method several
    > > times from different applications, you will need to repeat the logic

    all
    > > the time. How can i do it declaratively using Active Directory.
    > > I know if i use a database with stored procedures that would be a

    benefit.
    > > Any thoughts?

    >
    > You can create a custom control button that only shows up if the user is

    in
    > a role specified by a new property of the control. I created a
    > button-control and a panel-control wich work this way. This makes it very
    > easy to hide and show role-specific parts of a page.
    >
    > Jan
     
    Patrick.O.Ige, Nov 4, 2005
    #3
  4. Patrick.O.Ige schrieb:

    > Thx Jan for the reply.
    > But where was your Roles coming from?
    > Is it from AD?


    My own Principal implementation. I am using .NET 1.1 with form based
    authentication. I do not use a plain role-based access model.
    My model uses a hierarchy based on the group memberships in the AD (i use
    the property "tokenGroups" for getting all memberships including this which
    are set as primary group):

    Jan
     
    Jan Peter Stotz, Nov 4, 2005
    #4
  5. Pardon me for poking in on this conversation, but do you have any examples of
    this for the relatively inexperienced? I have the same issue as the original
    poster, but I don't have his experience.

    Thanks,
    Patrick


    "Jan Peter Stotz" wrote:

    > Patrick.O.Ige schrieb:
    >
    > > If Not (User.IsInRole("HR")) And Not (User.IsInRole("Managers")) Then
    > > ' Display the Button
    > > Else
    > > ' Don't display it!
    > > End If

    >
    > > The badside to these methods is that if you are calling a method several
    > > times from different applications, you will need to repeat the logic all
    > > the time. How can i do it declaratively using Active Directory.
    > > I know if i use a database with stored procedures that would be a benefit.
    > > Any thoughts?

    >
    > You can create a custom control button that only shows up if the user is in
    > a role specified by a new property of the control. I created a
    > button-control and a panel-control wich work this way. This makes it very
    > easy to hide and show role-specific parts of a page.
    >
    > Jan
    >
     
    Patrick Allmond, Nov 4, 2005
    #5
  6. If the data is already in AD, what benefit could you get from trying to copy
    it into SQL server? That just sounds like a sync nightmare.

    It seems relatively straightforward to show and hide menu items based on
    calls to IsInRole and just use Windows authentication.

    I would probably add some sort of mapping layer so you have some indirection
    between the actual groups used to give you some configurability at runtime.
    AzMan is a good framework for this, but you can put something lighter weight
    together if you don't want to deal with it.

    Joe K.

    "Patrick.O.Ige" <> wrote in message
    news:OgxH$...
    > If i want to generate a menu structure depending on who is logged in
    > in an intranet system(using windows authentication) is it better to use
    > the
    > GROUPS in Active Directory
    > or to move the Active Directory groups into a Sql Server database and base
    > the authrorization and authentication on the SQL Server roles/groups?
    > Whats the best way to make use of the GROUPS in active directory to
    > authorize
    > users apart from using web.config where you have to set it configuratively
    > like below(but i don't want this)
    > <authorization>
    > <allow roles="DOMAIN\HRUsers" />
    > <deny users="*" />
    > </authorization>
    > This works if i want to deny users who are not part of the GROUP
    > "HRUSERS"(Which just denies the URL .aspx page)
    > Is it possible to store/collect all the Active Directory groups and use it
    > in code to validate against USERS?
    > (Apart from storing it in SQL server?)
    >
    > or
    > programmatically by doing :-
    > If Not (User.IsInRole("HR")) And Not (User.IsInRole("Managers")) Then
    > ' Display the Button
    > Else
    > ' Don't display it!
    > End If
    > The badside to these methods is that if you are calling a method several
    > times from different applications, you will need to repeat the logic all
    > the time. How can i do it declaratively using Active Directory.
    > I know if i use a database with stored procedures that would be a benefit.
    > Any thoughts?
    >
    >
     
    Joe Kaplan \(MVP - ADSI\), Nov 4, 2005
    #6
  7. Patrick Allmond schrieb:

    > Pardon me for poking in on this conversation, but do you have any examples of
    > this for the relatively inexperienced? I have the same issue as the original
    > poster, but I don't have his experience.


    I didn't had the experience, when I started to create my asp.net
    application. Usually I am "learning-by-doing"...

    I found a lot of articles on msdn and the web that helped me to understand
    how authentication in ASP.net works.
    For more information search google for (or parts of it):
    asp .net forms authentication active directory

    One of the first links I get is this:
    "Building Secure ASP.NET Applications: Authentication, Authorization, and
    Secure Communication"
    http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT02.asp

    It doesn't explain much, but it is a simple how-to and may help you with
    your start.

    Jan
     
    Jan Peter Stotz, Nov 4, 2005
    #7
  8. Sorry I did not clarify. Specifically I meant how did you get the custom
    control property to work - the one that checks the role before it decides to
    display or not?

    patrick



    "Jan Peter Stotz" wrote:

    > Patrick Allmond schrieb:
    >
    > > Pardon me for poking in on this conversation, but do you have any examples of
    > > this for the relatively inexperienced? I have the same issue as the original
    > > poster, but I don't have his experience.

    >
    > I didn't had the experience, when I started to create my asp.net
    > application. Usually I am "learning-by-doing"...
    >
    > I found a lot of articles on msdn and the web that helped me to understand
    > how authentication in ASP.net works.
    > For more information search google for (or parts of it):
    > asp .net forms authentication active directory
    >
    > One of the first links I get is this:
    > "Building Secure ASP.NET Applications: Authentication, Authorization, and
    > Secure Communication"
    > http://msdn.microsoft.com/library/en-us/dnnetsec/html/SecNetHT02.asp
    >
    > It doesn't explain much, but it is a simple how-to and may help you with
    > your start.
    >
    > Jan
    >
     
    Patrick Allmond, Nov 4, 2005
    #8
  9. Patrick Allmond schrieb:

    > Sorry I did not clarify. Specifically I meant how did you get the custom
    > control property to work - the one that checks the role before it decides to
    > display or not?


    Ok, I am not an expert in custom controls, so I post my code (vb.net)
    allowing everybody to review it.
    I hope the posted code compiles. I had to made some changes with a
    texteditor to simplify it and no vb.net compiler at hand for checking, if
    it works. My original code uses a separate class called "Authentificator"
    that implements my special "isinRole-Check". The posted version can only
    check one role, but it is easy to extend it to accept a somehow separated
    list (e.g. semicolon) of roles that will be checked.

    Namespace MyWebControls
    Public Class SecurityButton : Inherits Button

    Private _RequiredRole as String

    Public Property RequiredRole As String
    Get
    return _RequiredRole
    End Get
    Set
    _RequiredRole = Value
    End Set
    End Property

    Protected Overrides Sub Render(Output As HtmlTextWriter)
    Dim p As Principal = HttpContext.Current.User
    If p.isInRole(_RequiredRole) Then
    MyBase.Render(Output)
    End If
    End Sub

    Protected Overrides Sub OnCommand(ByVal e As CommandEventArgs)
    Dim p As Principal = HttpContext.Current.User
    If p.isInRole(_RequiredRole) Then
    MyBase.OnCommand(e)
    End If
    End Sub
    End Class
    End Namespace

    test.aspx:

    <%@ Page Language="VB" %>
    <%@ Register TagPrefix="asps" Namespace="MyWebControls"
    Assembly="MyWebControls" %>
    [..]
    <asps:SecurityButton RequiredRole="DOMAIN\Groupname" id="mySecurityButton"
    runat="server">

    Jan
     
    Jan Peter Stotz, Nov 4, 2005
    #9
  10. Thx Joe for the response.
    Joe i know its like re inventing the wheel.
    But it has been a debate with some other developers and i have been trying
    to explain this.
    They just feel hardcoding the group using IsinRole to perform Authorisation
    is not good enough but the funniest thing
    is that even if you use SQL server you would have to right stored procedures
    and at the same time mainatain the sync with AD Groups.
    Actually i have come across AzMan and i will get more into it.
    Thx guys..
    If there is more resources out there please do forward them.
    And thanks Jan for the snippet info but it would be nice if you could blog
    that
    or post more tutorials to help give others




    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:O#...
    > If the data is already in AD, what benefit could you get from trying to

    copy
    > it into SQL server? That just sounds like a sync nightmare.
    >
    > It seems relatively straightforward to show and hide menu items based on
    > calls to IsInRole and just use Windows authentication.
    >
    > I would probably add some sort of mapping layer so you have some

    indirection
    > between the actual groups used to give you some configurability at

    runtime.
    > AzMan is a good framework for this, but you can put something lighter

    weight
    > together if you don't want to deal with it.
    >
    > Joe K.
    >
    > "Patrick.O.Ige" <> wrote in message
    > news:OgxH$...
    > > If i want to generate a menu structure depending on who is logged in
    > > in an intranet system(using windows authentication) is it better to use
    > > the
    > > GROUPS in Active Directory
    > > or to move the Active Directory groups into a Sql Server database and

    base
    > > the authrorization and authentication on the SQL Server roles/groups?
    > > Whats the best way to make use of the GROUPS in active directory to
    > > authorize
    > > users apart from using web.config where you have to set it

    configuratively
    > > like below(but i don't want this)
    > > <authorization>
    > > <allow roles="DOMAIN\HRUsers" />
    > > <deny users="*" />
    > > </authorization>
    > > This works if i want to deny users who are not part of the GROUP
    > > "HRUSERS"(Which just denies the URL .aspx page)
    > > Is it possible to store/collect all the Active Directory groups and use

    it
    > > in code to validate against USERS?
    > > (Apart from storing it in SQL server?)
    > >
    > > or
    > > programmatically by doing :-
    > > If Not (User.IsInRole("HR")) And Not (User.IsInRole("Managers")) Then
    > > ' Display the Button
    > > Else
    > > ' Don't display it!
    > > End If
    > > The badside to these methods is that if you are calling a method several
    > > times from different applications, you will need to repeat the logic

    all
    > > the time. How can i do it declaratively using Active Directory.
    > > I know if i use a database with stored procedures that would be a

    benefit.
    > > Any thoughts?
    > >
    > >

    >
    >
     
    Patrick.O.Ige, Nov 4, 2005
    #10
  11. Why not just create a simple mapping between groups and application-specific
    roles and store it in SQL or web.config or whatever? Then you don't
    hard-code the groups in your checks, but allow Windows to do the heavy
    lifting for you of figuring out your group membership at runtime?

    That is essentially what AzMan is about, although it is significantly more
    capable and includes several additional levels of indirection to support
    more granularity in your authorization (which can lead to better
    maintainability if you choose your operations carefully).

    Joe K.

    "Patrick.O.Ige" <> wrote in message
    news:%...
    > Thx Joe for the response.
    > Joe i know its like re inventing the wheel.
    > But it has been a debate with some other developers and i have been trying
    > to explain this.
    > They just feel hardcoding the group using IsinRole to perform
    > Authorisation
    > is not good enough but the funniest thing
    > is that even if you use SQL server you would have to right stored
    > procedures
    > and at the same time mainatain the sync with AD Groups.
    > Actually i have come across AzMan and i will get more into it.
    > Thx guys..
    > If there is more resources out there please do forward them.
    > And thanks Jan for the snippet info but it would be nice if you could blog
    > that
    > or post more tutorials to help give others
    >
    >
    >
    >
    > "Joe Kaplan (MVP - ADSI)" <> wrote
    > in message news:O#...
    >> If the data is already in AD, what benefit could you get from trying to

    > copy
    >> it into SQL server? That just sounds like a sync nightmare.
    >>
    >> It seems relatively straightforward to show and hide menu items based on
    >> calls to IsInRole and just use Windows authentication.
    >>
    >> I would probably add some sort of mapping layer so you have some

    > indirection
    >> between the actual groups used to give you some configurability at

    > runtime.
    >> AzMan is a good framework for this, but you can put something lighter

    > weight
    >> together if you don't want to deal with it.
    >>
    >> Joe K.
    >>
    >> "Patrick.O.Ige" <> wrote in message
    >> news:OgxH$...
    >> > If i want to generate a menu structure depending on who is logged in
    >> > in an intranet system(using windows authentication) is it better to use
    >> > the
    >> > GROUPS in Active Directory
    >> > or to move the Active Directory groups into a Sql Server database and

    > base
    >> > the authrorization and authentication on the SQL Server roles/groups?
    >> > Whats the best way to make use of the GROUPS in active directory to
    >> > authorize
    >> > users apart from using web.config where you have to set it

    > configuratively
    >> > like below(but i don't want this)
    >> > <authorization>
    >> > <allow roles="DOMAIN\HRUsers" />
    >> > <deny users="*" />
    >> > </authorization>
    >> > This works if i want to deny users who are not part of the GROUP
    >> > "HRUSERS"(Which just denies the URL .aspx page)
    >> > Is it possible to store/collect all the Active Directory groups and use

    > it
    >> > in code to validate against USERS?
    >> > (Apart from storing it in SQL server?)
    >> >
    >> > or
    >> > programmatically by doing :-
    >> > If Not (User.IsInRole("HR")) And Not (User.IsInRole("Managers")) Then
    >> > ' Display the Button
    >> > Else
    >> > ' Don't display it!
    >> > End If
    >> > The badside to these methods is that if you are calling a method
    >> > several
    >> > times from different applications, you will need to repeat the logic

    > all
    >> > the time. How can i do it declaratively using Active Directory.
    >> > I know if i use a database with stored procedures that would be a

    > benefit.
    >> > Any thoughts?
    >> >
    >> >

    >>
    >>

    >
    >
     
    Joe Kaplan \(MVP - ADSI\), Nov 5, 2005
    #11
  12. Joe when you say mapping how would i go by mapping
    the groups.And how would it be stored in Web.Config?
    Patrick

    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:#...
    > Why not just create a simple mapping between groups and

    application-specific
    > roles and store it in SQL or web.config or whatever? Then you don't
    > hard-code the groups in your checks, but allow Windows to do the heavy
    > lifting for you of figuring out your group membership at runtime?
    >
    > That is essentially what AzMan is about, although it is significantly more
    > capable and includes several additional levels of indirection to support
    > more granularity in your authorization (which can lead to better
    > maintainability if you choose your operations carefully).
    >
    > Joe K.
    >
    > "Patrick.O.Ige" <> wrote in message
    > news:%...
    > > Thx Joe for the response.
    > > Joe i know its like re inventing the wheel.
    > > But it has been a debate with some other developers and i have been

    trying
    > > to explain this.
    > > They just feel hardcoding the group using IsinRole to perform
    > > Authorisation
    > > is not good enough but the funniest thing
    > > is that even if you use SQL server you would have to right stored
    > > procedures
    > > and at the same time mainatain the sync with AD Groups.
    > > Actually i have come across AzMan and i will get more into it.
    > > Thx guys..
    > > If there is more resources out there please do forward them.
    > > And thanks Jan for the snippet info but it would be nice if you could

    blog
    > > that
    > > or post more tutorials to help give others
    > >
    > >
    > >
    > >
    > > "Joe Kaplan (MVP - ADSI)" <>

    wrote
    > > in message news:O#...
    > >> If the data is already in AD, what benefit could you get from trying to

    > > copy
    > >> it into SQL server? That just sounds like a sync nightmare.
    > >>
    > >> It seems relatively straightforward to show and hide menu items based

    on
    > >> calls to IsInRole and just use Windows authentication.
    > >>
    > >> I would probably add some sort of mapping layer so you have some

    > > indirection
    > >> between the actual groups used to give you some configurability at

    > > runtime.
    > >> AzMan is a good framework for this, but you can put something lighter

    > > weight
    > >> together if you don't want to deal with it.
    > >>
    > >> Joe K.
    > >>
    > >> "Patrick.O.Ige" <> wrote in message
    > >> news:OgxH$...
    > >> > If i want to generate a menu structure depending on who is logged in
    > >> > in an intranet system(using windows authentication) is it better to

    use
    > >> > the
    > >> > GROUPS in Active Directory
    > >> > or to move the Active Directory groups into a Sql Server database and

    > > base
    > >> > the authrorization and authentication on the SQL Server roles/groups?
    > >> > Whats the best way to make use of the GROUPS in active directory to
    > >> > authorize
    > >> > users apart from using web.config where you have to set it

    > > configuratively
    > >> > like below(but i don't want this)
    > >> > <authorization>
    > >> > <allow roles="DOMAIN\HRUsers" />
    > >> > <deny users="*" />
    > >> > </authorization>
    > >> > This works if i want to deny users who are not part of the GROUP
    > >> > "HRUSERS"(Which just denies the URL .aspx page)
    > >> > Is it possible to store/collect all the Active Directory groups and

    use
    > > it
    > >> > in code to validate against USERS?
    > >> > (Apart from storing it in SQL server?)
    > >> >
    > >> > or
    > >> > programmatically by doing :-
    > >> > If Not (User.IsInRole("HR")) And Not (User.IsInRole("Managers")) Then
    > >> > ' Display the Button
    > >> > Else
    > >> > ' Don't display it!
    > >> > End If
    > >> > The badside to these methods is that if you are calling a method
    > >> > several
    > >> > times from different applications, you will need to repeat the logic

    > > all
    > >> > the time. How can i do it declaratively using Active Directory.
    > >> > I know if i use a database with stored procedures that would be a

    > > benefit.
    > >> > Any thoughts?
    > >> >
    > >> >
    > >>
    > >>

    > >
    > >

    >
    >
     
    Patrick.O.Ige, Nov 7, 2005
    #12
  13. However you want!

    The most basic idea might be to have a bunch of appSettings that do
    something like:

    <add key="role1" value="domain\group1"/>

    Then, in your code, translate from "role1" into the actual group name at
    runtime.

    You can do many fancier things than that such as creating your own
    IPrincipal object that does this mapping for you so that it responds
    true/false to "role1" instead of "domain\group1". You can create your own
    custom configuration to store it. You can store the mapping in SQL.
    Whatever you want to do...

    Joe K.

    "Patrick.O.Ige" <> wrote in message
    news:%...
    > Joe when you say mapping how would i go by mapping
    > the groups.And how would it be stored in Web.Config?
    > Patrick
    >
    > "Joe Kaplan (MVP - ADSI)" <> wrote
    > in message news:#...
    >> Why not just create a simple mapping between groups and

    > application-specific
    >> roles and store it in SQL or web.config or whatever? Then you don't
    >> hard-code the groups in your checks, but allow Windows to do the heavy
    >> lifting for you of figuring out your group membership at runtime?
    >>
    >> That is essentially what AzMan is about, although it is significantly
    >> more
    >> capable and includes several additional levels of indirection to support
    >> more granularity in your authorization (which can lead to better
    >> maintainability if you choose your operations carefully).
    >>
    >> Joe K.
    >>
    >> "Patrick.O.Ige" <> wrote in message
    >> news:%...
    >> > Thx Joe for the response.
    >> > Joe i know its like re inventing the wheel.
    >> > But it has been a debate with some other developers and i have been

    > trying
    >> > to explain this.
    >> > They just feel hardcoding the group using IsinRole to perform
    >> > Authorisation
    >> > is not good enough but the funniest thing
    >> > is that even if you use SQL server you would have to right stored
    >> > procedures
    >> > and at the same time mainatain the sync with AD Groups.
    >> > Actually i have come across AzMan and i will get more into it.
    >> > Thx guys..
    >> > If there is more resources out there please do forward them.
    >> > And thanks Jan for the snippet info but it would be nice if you could

    > blog
    >> > that
    >> > or post more tutorials to help give others
    >> >
    >> >
    >> >
    >> >
    >> > "Joe Kaplan (MVP - ADSI)" <>

    > wrote
    >> > in message news:O#...
    >> >> If the data is already in AD, what benefit could you get from trying
    >> >> to
    >> > copy
    >> >> it into SQL server? That just sounds like a sync nightmare.
    >> >>
    >> >> It seems relatively straightforward to show and hide menu items based

    > on
    >> >> calls to IsInRole and just use Windows authentication.
    >> >>
    >> >> I would probably add some sort of mapping layer so you have some
    >> > indirection
    >> >> between the actual groups used to give you some configurability at
    >> > runtime.
    >> >> AzMan is a good framework for this, but you can put something lighter
    >> > weight
    >> >> together if you don't want to deal with it.
    >> >>
    >> >> Joe K.
    >> >>
    >> >> "Patrick.O.Ige" <> wrote in message
    >> >> news:OgxH$...
    >> >> > If i want to generate a menu structure depending on who is logged in
    >> >> > in an intranet system(using windows authentication) is it better to

    > use
    >> >> > the
    >> >> > GROUPS in Active Directory
    >> >> > or to move the Active Directory groups into a Sql Server database
    >> >> > and
    >> > base
    >> >> > the authrorization and authentication on the SQL Server
    >> >> > roles/groups?
    >> >> > Whats the best way to make use of the GROUPS in active directory to
    >> >> > authorize
    >> >> > users apart from using web.config where you have to set it
    >> > configuratively
    >> >> > like below(but i don't want this)
    >> >> > <authorization>
    >> >> > <allow roles="DOMAIN\HRUsers" />
    >> >> > <deny users="*" />
    >> >> > </authorization>
    >> >> > This works if i want to deny users who are not part of the GROUP
    >> >> > "HRUSERS"(Which just denies the URL .aspx page)
    >> >> > Is it possible to store/collect all the Active Directory groups and

    > use
    >> > it
    >> >> > in code to validate against USERS?
    >> >> > (Apart from storing it in SQL server?)
    >> >> >
    >> >> > or
    >> >> > programmatically by doing :-
    >> >> > If Not (User.IsInRole("HR")) And Not (User.IsInRole("Managers"))
    >> >> > Then
    >> >> > ' Display the Button
    >> >> > Else
    >> >> > ' Don't display it!
    >> >> > End If
    >> >> > The badside to these methods is that if you are calling a method
    >> >> > several
    >> >> > times from different applications, you will need to repeat the
    >> >> > logic
    >> > all
    >> >> > the time. How can i do it declaratively using Active Directory.
    >> >> > I know if i use a database with stored procedures that would be a
    >> > benefit.
    >> >> > Any thoughts?
    >> >> >
    >> >> >
    >> >>
    >> >>
    >> >
    >> >

    >>
    >>

    >
    >
     
    Joe Kaplan \(MVP - ADSI\), Nov 7, 2005
    #13
  14. Thx Joe for the reply.
    I was just wondering that if i use Active Directory and make use of the
    Roles
    in my Application if a user belongs to more than one GROUP in the AD
    and i need to assign some permissions to perform a particular task.
    Lets say a page where a Admin user can Edit/ update a field and other users
    can't
    So for example if i use SQL server tables i can have Roleid's and assign it
    to users
    for example 1-Edit,2-Update etc..i can do it to a user level...
    Is there a way to perform such task with the AD?
    I mean to the user level?




    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:...
    > However you want!
    >
    > The most basic idea might be to have a bunch of appSettings that do
    > something like:
    >
    > <add key="role1" value="domain\group1"/>
    >
    > Then, in your code, translate from "role1" into the actual group name at
    > runtime.
    >
    > You can do many fancier things than that such as creating your own
    > IPrincipal object that does this mapping for you so that it responds
    > true/false to "role1" instead of "domain\group1". You can create your own
    > custom configuration to store it. You can store the mapping in SQL.
    > Whatever you want to do...
    >
    > Joe K.
    >
    > "Patrick.O.Ige" <> wrote in message
    > news:%...
    > > Joe when you say mapping how would i go by mapping
    > > the groups.And how would it be stored in Web.Config?
    > > Patrick
    > >
    > > "Joe Kaplan (MVP - ADSI)" <>

    wrote
    > > in message news:#...
    > >> Why not just create a simple mapping between groups and

    > > application-specific
    > >> roles and store it in SQL or web.config or whatever? Then you don't
    > >> hard-code the groups in your checks, but allow Windows to do the heavy
    > >> lifting for you of figuring out your group membership at runtime?
    > >>
    > >> That is essentially what AzMan is about, although it is significantly
    > >> more
    > >> capable and includes several additional levels of indirection to

    support
    > >> more granularity in your authorization (which can lead to better
    > >> maintainability if you choose your operations carefully).
    > >>
    > >> Joe K.
    > >>
    > >> "Patrick.O.Ige" <> wrote in message
    > >> news:%...
    > >> > Thx Joe for the response.
    > >> > Joe i know its like re inventing the wheel.
    > >> > But it has been a debate with some other developers and i have been

    > > trying
    > >> > to explain this.
    > >> > They just feel hardcoding the group using IsinRole to perform
    > >> > Authorisation
    > >> > is not good enough but the funniest thing
    > >> > is that even if you use SQL server you would have to right stored
    > >> > procedures
    > >> > and at the same time mainatain the sync with AD Groups.
    > >> > Actually i have come across AzMan and i will get more into it.
    > >> > Thx guys..
    > >> > If there is more resources out there please do forward them.
    > >> > And thanks Jan for the snippet info but it would be nice if you could

    > > blog
    > >> > that
    > >> > or post more tutorials to help give others
    > >> >
    > >> >
    > >> >
    > >> >
    > >> > "Joe Kaplan (MVP - ADSI)" <>

    > > wrote
    > >> > in message news:O#...
    > >> >> If the data is already in AD, what benefit could you get from trying
    > >> >> to
    > >> > copy
    > >> >> it into SQL server? That just sounds like a sync nightmare.
    > >> >>
    > >> >> It seems relatively straightforward to show and hide menu items

    based
    > > on
    > >> >> calls to IsInRole and just use Windows authentication.
    > >> >>
    > >> >> I would probably add some sort of mapping layer so you have some
    > >> > indirection
    > >> >> between the actual groups used to give you some configurability at
    > >> > runtime.
    > >> >> AzMan is a good framework for this, but you can put something

    lighter
    > >> > weight
    > >> >> together if you don't want to deal with it.
    > >> >>
    > >> >> Joe K.
    > >> >>
    > >> >> "Patrick.O.Ige" <> wrote in message
    > >> >> news:OgxH$...
    > >> >> > If i want to generate a menu structure depending on who is logged

    in
    > >> >> > in an intranet system(using windows authentication) is it better

    to
    > > use
    > >> >> > the
    > >> >> > GROUPS in Active Directory
    > >> >> > or to move the Active Directory groups into a Sql Server database
    > >> >> > and
    > >> > base
    > >> >> > the authrorization and authentication on the SQL Server
    > >> >> > roles/groups?
    > >> >> > Whats the best way to make use of the GROUPS in active directory

    to
    > >> >> > authorize
    > >> >> > users apart from using web.config where you have to set it
    > >> > configuratively
    > >> >> > like below(but i don't want this)
    > >> >> > <authorization>
    > >> >> > <allow roles="DOMAIN\HRUsers" />
    > >> >> > <deny users="*" />
    > >> >> > </authorization>
    > >> >> > This works if i want to deny users who are not part of the GROUP
    > >> >> > "HRUSERS"(Which just denies the URL .aspx page)
    > >> >> > Is it possible to store/collect all the Active Directory groups

    and
    > > use
    > >> > it
    > >> >> > in code to validate against USERS?
    > >> >> > (Apart from storing it in SQL server?)
    > >> >> >
    > >> >> > or
    > >> >> > programmatically by doing :-
    > >> >> > If Not (User.IsInRole("HR")) And Not (User.IsInRole("Managers"))
    > >> >> > Then
    > >> >> > ' Display the Button
    > >> >> > Else
    > >> >> > ' Don't display it!
    > >> >> > End If
    > >> >> > The badside to these methods is that if you are calling a method
    > >> >> > several
    > >> >> > times from different applications, you will need to repeat the
    > >> >> > logic
    > >> > all
    > >> >> > the time. How can i do it declaratively using Active Directory.
    > >> >> > I know if i use a database with stored procedures that would be a
    > >> > benefit.
    > >> >> > Any thoughts?
    > >> >> >
    > >> >> >
    > >> >>
    > >> >>
    > >> >
    > >> >
    > >>
    > >>

    > >
    > >

    >
    >
     
    Patrick.O.Ige, Nov 18, 2005
    #14
  15. I think what I was suggesting was that you do a mapping between your
    application specific roles (1-Edit, 2-Update, or whatever you want to call
    them) and the security principals in AD, whether they are users or groups.

    A role could contain one more more security principals, so you would have a
    lot of flexibility. You could create new groups in AD or use existing ones
    if the ones you needed already existed.

    Your app would make all of its security decisions based on the
    application-specific roles and you would write some code that could
    translate between your application roles and actual security principals at
    runtime based on the mapping you established and the actual security
    principals associated with a user at runtime (the user's name and her group
    memberships).

    AzMan does something very similar to this, so you might want to consider
    looking at it and reading some articles on it.

    Joe K.

    "Patrick.O.Ige" <> wrote in message
    news:...
    > Thx Joe for the reply.
    > I was just wondering that if i use Active Directory and make use of the
    > Roles
    > in my Application if a user belongs to more than one GROUP in the AD
    > and i need to assign some permissions to perform a particular task.
    > Lets say a page where a Admin user can Edit/ update a field and other
    > users
    > can't
    > So for example if i use SQL server tables i can have Roleid's and assign
    > it
    > to users
    > for example 1-Edit,2-Update etc..i can do it to a user level...
    > Is there a way to perform such task with the AD?
    > I mean to the user level?
    >
    >
    >
    >
    > "Joe Kaplan (MVP - ADSI)" <> wrote
    > in message news:...
    >> However you want!
    >>
    >> The most basic idea might be to have a bunch of appSettings that do
    >> something like:
    >>
    >> <add key="role1" value="domain\group1"/>
    >>
    >> Then, in your code, translate from "role1" into the actual group name at
    >> runtime.
    >>
    >> You can do many fancier things than that such as creating your own
    >> IPrincipal object that does this mapping for you so that it responds
    >> true/false to "role1" instead of "domain\group1". You can create your
    >> own
    >> custom configuration to store it. You can store the mapping in SQL.
    >> Whatever you want to do...
    >>
    >> Joe K.
    >>
    >> "Patrick.O.Ige" <> wrote in message
    >> news:%...
    >> > Joe when you say mapping how would i go by mapping
    >> > the groups.And how would it be stored in Web.Config?
    >> > Patrick
    >> >
    >> > "Joe Kaplan (MVP - ADSI)" <>

    > wrote
    >> > in message news:#...
    >> >> Why not just create a simple mapping between groups and
    >> > application-specific
    >> >> roles and store it in SQL or web.config or whatever? Then you don't
    >> >> hard-code the groups in your checks, but allow Windows to do the heavy
    >> >> lifting for you of figuring out your group membership at runtime?
    >> >>
    >> >> That is essentially what AzMan is about, although it is significantly
    >> >> more
    >> >> capable and includes several additional levels of indirection to

    > support
    >> >> more granularity in your authorization (which can lead to better
    >> >> maintainability if you choose your operations carefully).
    >> >>
    >> >> Joe K.
    >> >>
    >> >> "Patrick.O.Ige" <> wrote in message
    >> >> news:%...
    >> >> > Thx Joe for the response.
    >> >> > Joe i know its like re inventing the wheel.
    >> >> > But it has been a debate with some other developers and i have been
    >> > trying
    >> >> > to explain this.
    >> >> > They just feel hardcoding the group using IsinRole to perform
    >> >> > Authorisation
    >> >> > is not good enough but the funniest thing
    >> >> > is that even if you use SQL server you would have to right stored
    >> >> > procedures
    >> >> > and at the same time mainatain the sync with AD Groups.
    >> >> > Actually i have come across AzMan and i will get more into it.
    >> >> > Thx guys..
    >> >> > If there is more resources out there please do forward them.
    >> >> > And thanks Jan for the snippet info but it would be nice if you
    >> >> > could
    >> > blog
    >> >> > that
    >> >> > or post more tutorials to help give others
    >> >> >
    >> >> >
    >> >> >
    >> >> >
    >> >> > "Joe Kaplan (MVP - ADSI)" <>
    >> > wrote
    >> >> > in message news:O#...
    >> >> >> If the data is already in AD, what benefit could you get from
    >> >> >> trying
    >> >> >> to
    >> >> > copy
    >> >> >> it into SQL server? That just sounds like a sync nightmare.
    >> >> >>
    >> >> >> It seems relatively straightforward to show and hide menu items

    > based
    >> > on
    >> >> >> calls to IsInRole and just use Windows authentication.
    >> >> >>
    >> >> >> I would probably add some sort of mapping layer so you have some
    >> >> > indirection
    >> >> >> between the actual groups used to give you some configurability at
    >> >> > runtime.
    >> >> >> AzMan is a good framework for this, but you can put something

    > lighter
    >> >> > weight
    >> >> >> together if you don't want to deal with it.
    >> >> >>
    >> >> >> Joe K.
    >> >> >>
    >> >> >> "Patrick.O.Ige" <> wrote in message
    >> >> >> news:OgxH$...
    >> >> >> > If i want to generate a menu structure depending on who is logged

    > in
    >> >> >> > in an intranet system(using windows authentication) is it better

    > to
    >> > use
    >> >> >> > the
    >> >> >> > GROUPS in Active Directory
    >> >> >> > or to move the Active Directory groups into a Sql Server database
    >> >> >> > and
    >> >> > base
    >> >> >> > the authrorization and authentication on the SQL Server
    >> >> >> > roles/groups?
    >> >> >> > Whats the best way to make use of the GROUPS in active directory

    > to
    >> >> >> > authorize
    >> >> >> > users apart from using web.config where you have to set it
    >> >> > configuratively
    >> >> >> > like below(but i don't want this)
    >> >> >> > <authorization>
    >> >> >> > <allow roles="DOMAIN\HRUsers" />
    >> >> >> > <deny users="*" />
    >> >> >> > </authorization>
    >> >> >> > This works if i want to deny users who are not part of the GROUP
    >> >> >> > "HRUSERS"(Which just denies the URL .aspx page)
    >> >> >> > Is it possible to store/collect all the Active Directory groups

    > and
    >> > use
    >> >> > it
    >> >> >> > in code to validate against USERS?
    >> >> >> > (Apart from storing it in SQL server?)
    >> >> >> >
    >> >> >> > or
    >> >> >> > programmatically by doing :-
    >> >> >> > If Not (User.IsInRole("HR")) And Not (User.IsInRole("Managers"))
    >> >> >> > Then
    >> >> >> > ' Display the Button
    >> >> >> > Else
    >> >> >> > ' Don't display it!
    >> >> >> > End If
    >> >> >> > The badside to these methods is that if you are calling a method
    >> >> >> > several
    >> >> >> > times from different applications, you will need to repeat the
    >> >> >> > logic
    >> >> > all
    >> >> >> > the time. How can i do it declaratively using Active Directory.
    >> >> >> > I know if i use a database with stored procedures that would be a
    >> >> > benefit.
    >> >> >> > Any thoughts?
    >> >> >> >
    >> >> >> >
    >> >> >>
    >> >> >>
    >> >> >
    >> >> >
    >> >>
    >> >>
    >> >
    >> >

    >>
    >>

    >
    >
     
    Joe Kaplan \(MVP - ADSI\), Nov 18, 2005
    #15
  16. Thx Joe
    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:...
    > I think what I was suggesting was that you do a mapping between your
    > application specific roles (1-Edit, 2-Update, or whatever you want to call
    > them) and the security principals in AD, whether they are users or groups.
    >
    > A role could contain one more more security principals, so you would have

    a
    > lot of flexibility. You could create new groups in AD or use existing

    ones
    > if the ones you needed already existed.
    >
    > Your app would make all of its security decisions based on the
    > application-specific roles and you would write some code that could
    > translate between your application roles and actual security principals at
    > runtime based on the mapping you established and the actual security
    > principals associated with a user at runtime (the user's name and her

    group
    > memberships).
    >
    > AzMan does something very similar to this, so you might want to consider
    > looking at it and reading some articles on it.
    >
    > Joe K.
    >
    > "Patrick.O.Ige" <> wrote in message
    > news:...
    > > Thx Joe for the reply.
    > > I was just wondering that if i use Active Directory and make use of the
    > > Roles
    > > in my Application if a user belongs to more than one GROUP in the AD
    > > and i need to assign some permissions to perform a particular task.
    > > Lets say a page where a Admin user can Edit/ update a field and other
    > > users
    > > can't
    > > So for example if i use SQL server tables i can have Roleid's and assign
    > > it
    > > to users
    > > for example 1-Edit,2-Update etc..i can do it to a user level...
    > > Is there a way to perform such task with the AD?
    > > I mean to the user level?
    > >
    > >
    > >
    > >
    > > "Joe Kaplan (MVP - ADSI)" <>

    wrote
    > > in message news:...
    > >> However you want!
    > >>
    > >> The most basic idea might be to have a bunch of appSettings that do
    > >> something like:
    > >>
    > >> <add key="role1" value="domain\group1"/>
    > >>
    > >> Then, in your code, translate from "role1" into the actual group name

    at
    > >> runtime.
    > >>
    > >> You can do many fancier things than that such as creating your own
    > >> IPrincipal object that does this mapping for you so that it responds
    > >> true/false to "role1" instead of "domain\group1". You can create your
    > >> own
    > >> custom configuration to store it. You can store the mapping in SQL.
    > >> Whatever you want to do...
    > >>
    > >> Joe K.
    > >>
    > >> "Patrick.O.Ige" <> wrote in message
    > >> news:%...
    > >> > Joe when you say mapping how would i go by mapping
    > >> > the groups.And how would it be stored in Web.Config?
    > >> > Patrick
    > >> >
    > >> > "Joe Kaplan (MVP - ADSI)" <>

    > > wrote
    > >> > in message news:#...
    > >> >> Why not just create a simple mapping between groups and
    > >> > application-specific
    > >> >> roles and store it in SQL or web.config or whatever? Then you don't
    > >> >> hard-code the groups in your checks, but allow Windows to do the

    heavy
    > >> >> lifting for you of figuring out your group membership at runtime?
    > >> >>
    > >> >> That is essentially what AzMan is about, although it is

    significantly
    > >> >> more
    > >> >> capable and includes several additional levels of indirection to

    > > support
    > >> >> more granularity in your authorization (which can lead to better
    > >> >> maintainability if you choose your operations carefully).
    > >> >>
    > >> >> Joe K.
    > >> >>
    > >> >> "Patrick.O.Ige" <> wrote in message
    > >> >> news:%...
    > >> >> > Thx Joe for the response.
    > >> >> > Joe i know its like re inventing the wheel.
    > >> >> > But it has been a debate with some other developers and i have

    been
    > >> > trying
    > >> >> > to explain this.
    > >> >> > They just feel hardcoding the group using IsinRole to perform
    > >> >> > Authorisation
    > >> >> > is not good enough but the funniest thing
    > >> >> > is that even if you use SQL server you would have to right stored
    > >> >> > procedures
    > >> >> > and at the same time mainatain the sync with AD Groups.
    > >> >> > Actually i have come across AzMan and i will get more into it.
    > >> >> > Thx guys..
    > >> >> > If there is more resources out there please do forward them.
    > >> >> > And thanks Jan for the snippet info but it would be nice if you
    > >> >> > could
    > >> > blog
    > >> >> > that
    > >> >> > or post more tutorials to help give others
    > >> >> >
    > >> >> >
    > >> >> >
    > >> >> >
    > >> >> > "Joe Kaplan (MVP - ADSI)"

    <>
    > >> > wrote
    > >> >> > in message news:O#...
    > >> >> >> If the data is already in AD, what benefit could you get from
    > >> >> >> trying
    > >> >> >> to
    > >> >> > copy
    > >> >> >> it into SQL server? That just sounds like a sync nightmare.
    > >> >> >>
    > >> >> >> It seems relatively straightforward to show and hide menu items

    > > based
    > >> > on
    > >> >> >> calls to IsInRole and just use Windows authentication.
    > >> >> >>
    > >> >> >> I would probably add some sort of mapping layer so you have some
    > >> >> > indirection
    > >> >> >> between the actual groups used to give you some configurability

    at
    > >> >> > runtime.
    > >> >> >> AzMan is a good framework for this, but you can put something

    > > lighter
    > >> >> > weight
    > >> >> >> together if you don't want to deal with it.
    > >> >> >>
    > >> >> >> Joe K.
    > >> >> >>
    > >> >> >> "Patrick.O.Ige" <> wrote in message
    > >> >> >> news:OgxH$...
    > >> >> >> > If i want to generate a menu structure depending on who is

    logged
    > > in
    > >> >> >> > in an intranet system(using windows authentication) is it

    better
    > > to
    > >> > use
    > >> >> >> > the
    > >> >> >> > GROUPS in Active Directory
    > >> >> >> > or to move the Active Directory groups into a Sql Server

    database
    > >> >> >> > and
    > >> >> > base
    > >> >> >> > the authrorization and authentication on the SQL Server
    > >> >> >> > roles/groups?
    > >> >> >> > Whats the best way to make use of the GROUPS in active

    directory
    > > to
    > >> >> >> > authorize
    > >> >> >> > users apart from using web.config where you have to set it
    > >> >> > configuratively
    > >> >> >> > like below(but i don't want this)
    > >> >> >> > <authorization>
    > >> >> >> > <allow roles="DOMAIN\HRUsers" />
    > >> >> >> > <deny users="*" />
    > >> >> >> > </authorization>
    > >> >> >> > This works if i want to deny users who are not part of the

    GROUP
    > >> >> >> > "HRUSERS"(Which just denies the URL .aspx page)
    > >> >> >> > Is it possible to store/collect all the Active Directory groups

    > > and
    > >> > use
    > >> >> > it
    > >> >> >> > in code to validate against USERS?
    > >> >> >> > (Apart from storing it in SQL server?)
    > >> >> >> >
    > >> >> >> > or
    > >> >> >> > programmatically by doing :-
    > >> >> >> > If Not (User.IsInRole("HR")) And Not

    (User.IsInRole("Managers"))
    > >> >> >> > Then
    > >> >> >> > ' Display the Button
    > >> >> >> > Else
    > >> >> >> > ' Don't display it!
    > >> >> >> > End If
    > >> >> >> > The badside to these methods is that if you are calling a

    method
    > >> >> >> > several
    > >> >> >> > times from different applications, you will need to repeat the
    > >> >> >> > logic
    > >> >> > all
    > >> >> >> > the time. How can i do it declaratively using Active

    Directory.
    > >> >> >> > I know if i use a database with stored procedures that would be

    a
    > >> >> > benefit.
    > >> >> >> > Any thoughts?
    > >> >> >> >
    > >> >> >> >
    > >> >> >>
    > >> >> >>
    > >> >> >
    > >> >> >
    > >> >>
    > >> >>
    > >> >
    > >> >
    > >>
    > >>

    > >
    > >

    >
    >
     
    Patrick.O.Ige, Nov 21, 2005
    #16
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Patrick.O.Ige
    Replies:
    4
    Views:
    5,655
    Patrick.O.Ige
    Nov 4, 2005
  2. =?Utf-8?B?SmVmZnJleQ==?=

    Upgrading ASP w/SQLserver 2000 to ASP.NET w/ SQLserver 2005

    =?Utf-8?B?SmVmZnJleQ==?=, Apr 6, 2007, in forum: ASP .Net
    Replies:
    2
    Views:
    482
    sloan
    Apr 27, 2007
  3. sqlman
    Replies:
    5
    Views:
    1,573
    DaveMo
    Jun 11, 2009
  4. ejcosta
    Replies:
    2
    Views:
    876
    Eurico Costa
    Oct 8, 2004
  5. sqlman
    Replies:
    5
    Views:
    1,230
    DaveMo
    Jun 11, 2009
Loading...

Share This Page