Hierarchy in user management

Discussion in 'ASP .Net Security' started by Bob Gregory, Sep 21, 2004.

  1. Bob Gregory

    Bob Gregory Guest

    Hi all,

    I'm a newcomer to the .Net framework having worked in bog standard
    ASP/SQL for far too long.

    I have a massive project coming up, for which I will need to model a
    tree structure of users. Users can access other entities in the
    database depending on their position in the structure and the
    properties of those entities.

    As a simple example, each user is a member of a store. Stores are
    members of storegroups, storegroups may be members of larger
    storegroups and so on. Each store has 0-N widgets, those widgets may
    or may not be exposed to other stores and storegroups.

    Users at the top of a subtree can see any widgets, users, stores and
    groups below them, but may be granted permissions on other objects or
    subtrees. Users can also be explicitly denied permissions on an object
    or subtree.

    Are you keeping up at the back? There'll be a short quiz at the end.

    I've built one of these things before, and a right pig of a system it
    was too, using separate tables for transitive closure. If you're
    interested in the method I worked from, check out
    http://citeseer.ist.psu.edu/dong99maintaining.html

    This was wonderfully fast for updates, but got painfully slow for the
    kind of aggregated selects I need to do for this system.

    My question, simply, is what options are available to me in the .Net
    framework? I'd rather not have to kludge together a system in an RDBMS
    because it gets unwieldy and this thing will need to Scale with a
    purposeful capital.

    I've looked briefly at directory services, which seem to offer the
    right model for the user side of things, but I'd have to tie it into
    SQL in such a fashion that a user can retrieve a list of all the
    widgets exposed to his subordinate users which aren't explicitly
    denied to him.

    So, assuming that infrastructure is available by the bucket load
    (servers, software, whatever is necessary) what is the best way to
    knock something like this up?

    -- FlinkyWistyPomm

    Ps. I apologise for the vagaries, it's the usual All Your Code Are
    Belong To Us situation.
    Bob Gregory, Sep 21, 2004
    #1
    1. Advertising

  2. Bob Gregory

    richlm Guest

    Not much specifically in .NET that can help to solve the
    architectural/scaleability issues here.

    Using AD to store your organizational heirarchy + users sounds like a good
    choice, and I don't think you can avoid having to store your widgets etc. in
    SQL server.

    You might want to look at Microsoft "Authorization Manager" (AzMan) - a new
    feature in Windows Server 2003.
    I'm not sure it can address all of your requirements but it might help.
    richlm, Sep 21, 2004
    #2
    1. Advertising

  3. Bob Gregory

    Bob Gregory Guest

    Hey Rich thanks for the reply,

    "richlm" <> wrote in message news:<#>...
    > Not much specifically in .NET that can help to solve the
    > architectural/scaleability issues here.


    No, I'm more looking for architecture tips, but there isn't a .Net
    architecture group that I'm aware of.

    >
    > Using AD to store your organizational heirarchy + users sounds like a good
    > choice, and I don't think you can avoid having to store your widgets etc. in
    > SQL server.
    >


    I'm fine with storing my widgets in SQL, that's what it's for. My
    question more specifically, is how can I integrate my user directory
    with SQL, or do I need to handle that myself?

    IOW, is there a native way to use the results of a search on an active
    directory against SQL or do I need to write a wrapper to do all that
    for me?

    If not then you end up posting delimited strings or XML to SQL to
    represent a list of users and that's something I want to avoid if
    possible. I suppose I could use a template query and include the
    results of my ad search in the template, but I detect the first whiffs
    of CodeSmell.

    Anyone know anything about returning XML from an active directory?

    > You might want to look at Microsoft "Authorization Manager" (AzMan) - a new
    > feature in Windows Server 2003.
    > I'm not sure it can address all of your requirements but it might help.


    I've heard vague rumblings about AzMan. I'll have another look at that
    and see what occurs to me.


    Cheers

    -- Bob
    Bob Gregory, Sep 22, 2004
    #3
  4. Bob Gregory

    richlm Guest

    I guess we have to look forward to the day when the AD store is SQL server.
    Then maybe we can do this sort of stuff.

    Another thing to look at might be the "Authorization and Profile Application
    Block" from Microsoft patterns and practices.
    richlm, Sep 22, 2004
    #4
  5. Although I don't have a solution for you, I do know that Microsoft
    created something similar when they created Commerce Server 2000. They
    supplied a User Profile Object along with a configuration architecture
    that wrapped access to Active Directory and SQL Server. You may get
    some ideas by reading about it. I googled real quick on "commerce
    server User Profile Object".

    One interesting link on performance characteristics:
    http://www.microsoft.com/technet/prodtechnol/comm/comm2000/maintain/perform/upmtca2.mspx
    Joseph E Shook [MVP - ADSI], Sep 23, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Petr PALAS
    Replies:
    0
    Views:
    416
    Petr PALAS
    Oct 23, 2003
  2. Petr PALAS
    Replies:
    0
    Views:
    366
    Petr PALAS
    Nov 17, 2003
  3. Floris van Haaster

    Project management / bug management

    Floris van Haaster, Sep 23, 2005, in forum: ASP .Net
    Replies:
    3
    Views:
    1,231
    Jon Paal
    Sep 23, 2005
  4. pouet
    Replies:
    2
    Views:
    737
    Will Hartung
    Jul 30, 2004
  5. Slaunger
    Replies:
    2
    Views:
    241
    Slaunger
    Nov 17, 2008
Loading...

Share This Page