Assigning application specific rights to existing Windows domain users

Discussion in 'ASP .Net Security' started by Kursat, May 2, 2007.

  1. Kursat

    Kursat Guest

    Hello,

    I am developing a Web based (ASP.NET 2.0) intranet application which will
    run in a Windows domain environment. Users will login using their domain
    accounts. So far so good but if one user have a valid domain account he or
    she can access all the functionality exposed by the application. Whereas, I
    want users can only use previously assigned set of application functions.
    How can I assign application specific rights to existing domain users?

    Thanks in advance.
     
    Kursat, May 2, 2007
    #1
    1. Advertising

  2. On May 2, 1:55 pm, "Kursat" <> wrote:
    > Hello,
    >
    > I am developing a Web based (ASP.NET 2.0) intranet application which will
    > run in a Windows domain environment. Users will login using their domain
    > accounts. So far so good but if one user have a valid domain account he or
    > she can access all the functionality exposed by the application. Whereas, I
    > want users can only use previously assigned set of application functions.
    > How can I assign application specific rights to existing domain users?
    >
    > Thanks in advance.


    you can create a database containing user IDs and roles.

    in global.asax you can use these roles as per example

    Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As
    EventArgs)

    If Request.IsAuthenticated Then

    ' Get data from the database. E.g. select roles from users where
    username=Context.User.Identity.Name
    Dim roles() As String = GetMyUserRoles(Context.User.Identity.Name)

    ' Add our own custom principal to the request containing the roles in
    the auth ticket
    Context.User = New GenericPrincipal(Context.User.Identity, roles)

    End If

    End Sub
     
    Alexey Smirnov, May 2, 2007
    #2
    1. Advertising

  3. Kursat

    Kursat Guest

    Hi Alexey,
    If I use seperate database for my application users how can I keep my
    database in sync with Active Directory?

    "Alexey Smirnov" <> wrote in message
    news:...
    > On May 2, 1:55 pm, "Kursat" <> wrote:
    >> Hello,
    >>
    >> I am developing a Web based (ASP.NET 2.0) intranet application which will
    >> run in a Windows domain environment. Users will login using their domain
    >> accounts. So far so good but if one user have a valid domain account he
    >> or
    >> she can access all the functionality exposed by the application. Whereas,
    >> I
    >> want users can only use previously assigned set of application functions.
    >> How can I assign application specific rights to existing domain users?
    >>
    >> Thanks in advance.

    >
    > you can create a database containing user IDs and roles.
    >
    > in global.asax you can use these roles as per example
    >
    > Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As
    > EventArgs)
    >
    > If Request.IsAuthenticated Then
    >
    > ' Get data from the database. E.g. select roles from users where
    > username=Context.User.Identity.Name
    > Dim roles() As String = GetMyUserRoles(Context.User.Identity.Name)
    >
    > ' Add our own custom principal to the request containing the roles in
    > the auth ticket
    > Context.User = New GenericPrincipal(Context.User.Identity, roles)
    >
    > End If
    >
    > End Sub
    >
     
    Kursat, May 2, 2007
    #3
  4. On May 2, 8:36 pm, "Kursat" <> wrote:
    > Hi Alexey,
    > If I use seperate database for my application users how can I keep my
    > database in sync with Active Directory?
    >


    I think, there are two points to mention. The first is the place where
    you manage your users and rights. The second one is an authorization
    process. Do you need to authorize a user based on his/her rights from
    the Active Directory or you only have his/her user id?

    The user information (and roles) comes out of the Active Directory,
    you can either use

    User.IsInRole() property

    or

    you can congifure web.config

    <allow roles="PC\group" />

    etc
     
    Alexey Smirnov, May 2, 2007
    #4
  5. On May 2, 11:37 pm, Alexey Smirnov <> wrote:
    > On May 2, 8:36 pm, "Kursat" <> wrote:
    >
    > > Hi Alexey,
    > > If I use seperate database for my application users how can I keep my
    > > database in sync with Active Directory?

    >
    > I think, there are two points to mention. The first is the place where
    > you manage your users and rights. The second one is an authorization
    > process. Do you need to authorize a user based on his/her rights from
    > the Active Directory or you only have his/her user id?
    >
    > The user information (and roles) comes out of the Active Directory,
    > you can either use



    I mean

    If the user information (and roles) comes out of the Active
    Directory...
     
    Alexey Smirnov, May 2, 2007
    #5
  6. Kursat

    Kursat Guest

    Alexey, hanks for your replay.

    I determined some application specific roles based on operations and
    resource access rights and want to build a generic security framework which
    can work integrated with Active Directory. So I should consider using domain
    groups as roles. The main problem is that we generally have more detailed
    roles than our customer's domain groups. So some new groups should be
    created at customer's side to satisfy our(not our but their indeed!)
    security needs. But customers resist to modify their directory structure to
    get worked every single application. Then how can I realize goals below with
    the problem in hand?

    - Every users will authenticate using their domain user information
    - Authorization based on application specific roles while it is impossible
    to create a new domain group for every role.

    I know I should use seperate store to assign users to roles but how can I
    keep this store and Active Directory synchronized? How can I get notified If
    a user in one of my roles is deleted from Active Diretory?


    "Alexey Smirnov" <> wrote in message
    news:...
    > On May 2, 8:36 pm, "Kursat" <> wrote:
    >> Hi Alexey,
    >> If I use seperate database for my application users how can I keep my
    >> database in sync with Active Directory?
    >>

    >
    > I think, there are two points to mention. The first is the place where
    > you manage your users and rights. The second one is an authorization
    > process. Do you need to authorize a user based on his/her rights from
    > the Active Directory or you only have his/her user id?
    >
    > The user information (and roles) comes out of the Active Directory,
    > you can either use
    >
    > User.IsInRole() property
    >
    > or
    >
    > you can congifure web.config
    >
    > <allow roles="PC\group" />
    >
    > etc
    >
     
    Kursat, May 3, 2007
    #6
  7. Kursat

    Kursat Guest

    Alexey, hanks for your replay.

    I determined some application specific roles based on operations and
    resource access rights and want to build a generic security framework which
    can work integrated with Active Directory. So I should consider using domain
    groups as roles. The main problem is that we generally have more detailed
    roles than our customer's domain groups. So some new groups should be
    created at customer's side to satisfy our(not our but their indeed!)
    security needs. But customers resist to modify their directory structure to
    get worked every single application. Then how can I realize goals below with
    the problem in hand?

    - Every users will authenticate using their domain user information
    - Authorization based on application specific roles while it is impossible
    to create a new domain group for every role.

    I know I should use seperate store to assign users to roles but how can I
    keep this store and Active Directory synchronized? How can I get notified If
    a user in one of my roles is deleted from Active Diretory?


    "Alexey Smirnov" <> wrote in message
    news:...
    > On May 2, 8:36 pm, "Kursat" <> wrote:
    >> Hi Alexey,
    >> If I use seperate database for my application users how can I keep my
    >> database in sync with Active Directory?
    >>

    >
    > I think, there are two points to mention. The first is the place where
    > you manage your users and rights. The second one is an authorization
    > process. Do you need to authorize a user based on his/her rights from
    > the Active Directory or you only have his/her user id?
    >
    > The user information (and roles) comes out of the Active Directory,
    > you can either use
    >
    > User.IsInRole() property
    >
    > or
    >
    > you can congifure web.config
    >
    > <allow roles="PC\group" />
    >
    > etc
    >
     
    Kursat, May 3, 2007
    #7
  8. On May 3, 3:36 pm, "Kursat" <> wrote:
    > Alexey, hanks for your replay.
    >
    > I determined some application specific roles based on operations and
    > resource access rights and want to build a generic security framework which
    > can work integrated with Active Directory. So I should consider using domain
    > groups as roles. The main problem is that we generally have more detailed
    > roles than our customer's domain groups. So some new groups should be
    > created at customer's side to satisfy our(not our but their indeed!)
    > security needs. But customers resist to modify their directory structure to
    > get worked every single application. Then how can I realize goals below with
    > the problem in hand?
    >
    > - Every users will authenticate using their domain user information
    > - Authorization based on application specific roles while it is impossible
    > to create a new domain group for every role.
    >
    > I know I should use seperate store to assign users to roles but how can I
    > keep this store and Active Directory synchronized? How can I get notified If
    > a user in one of my roles is deleted from Active Diretory?


    To be synchronized is not a problem, you can have a scheduled job to
    check that on a regular basis.

    However, I think you can consider the code from my first answer and
    try to follow it. When you creating a new auth ticket you can join
    your "database" roles with the AD-groups. All what has to be added
    there is an enumeration of AD-groups and adding them into a roles()
    array.
     
    Alexey Smirnov, May 3, 2007
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rafael Lopez

    USERS DOMAIN COMPILE RIGHTS VISUAL STUDIO

    Rafael Lopez, Oct 25, 2003, in forum: ASP .Net
    Replies:
    0
    Views:
    403
    Rafael Lopez
    Oct 25, 2003
  2. Infant Newbie
    Replies:
    2
    Views:
    3,303
    Infant Newbie
    Nov 12, 2003
  3. bitshift
    Replies:
    1
    Views:
    576
    bruce barker
    Jun 22, 2007
  4. Rossco
    Replies:
    0
    Views:
    215
    Rossco
    Sep 27, 2005
  5. weston
    Replies:
    1
    Views:
    278
    Richard Cornford
    Sep 22, 2006
Loading...

Share This Page