Security model guidelines - Server-centric implementation - Win2K3 - dotNet

[Bert Nieves]

Greetings,

a) Server environment : Windows 2003 Standard
b) Database: SQL Server 2000
c) Development: Combination of VB6 COM+ , ASP.NET, and VB.NET.

Looking at potential tracks for an implementation of a server-centric
security model for an n-tier, intranet based system. All business logic and
business-related workflows will reside on the server with several different
UIs accessing (.NET forms, ASP.NET, VB6 forms). Security requirements are
pretty solid with an emphasis on role-based security mechanisms and a "more
granular" set of data filtering (views). I'm looking at the following
tracks for the implementation of the Role-based portion of this security
model ...

1) COM+ Role based implementation
2) Win2K3 Authorization Manager based role implementation
3) Custom .NET coding using the System.Security.Permissions namespace

Can anyone recommend and/or relate their experiences in choosing any 1 of
the above 3 choices for user-authentication and authorization. I'm most
familiar and experienced with COM+ Roles. I would really appreciate some
MVPs chiming in

Thanx in advance.

Bert Nieves
(e-mail address removed)

 

[Ram Sunkara [msft]]

In the current implementation of Azman, you can only store user role
assignments either in XML file or AD.
In the upcoming Whidbey relase, Azman will also provide SQL based stored
(this is what I understood in the recent PDC)
Has clear migration story. You do not need to write any code by yourself,
it's all out of the box.
Azman comes up with very good role assignment concepts like APPLICATION,
SCOPE, OPERATIONS...

Custom .NET coding using the System.Security.Permissions namespace is also a
good approach if you have resources, time and willing to do all by yourself.
ASP.NET 2.0 Whidbey relase will make this process easy, you need to provide
implementation for couple interfaces (IRoleProvider...I do not remember
correct name) and register your assembly in the configuration file.