Assigning application specific rights to existing Windows domain users

[Kursat]

Hello,

I am developing a Web based (ASP.NET 2.0) intranet application which will
run in a Windows domain environment. Users will login using their domain
accounts. So far so good but if one user have a valid domain account he or
she can access all the functionality exposed by the application. Whereas, I
want users can only use previously assigned set of application functions.
How can I assign application specific rights to existing domain users?

Thanks in advance.

 

[Guest]

Hello,

I am developing a Web based (ASP.NET 2.0) intranet application which will
run in a Windows domain environment. Users will login using their domain
accounts. So far so good but if one user have a valid domain account he or
she can access all the functionality exposed by the application. Whereas, I
want users can only use previously assigned set of application functions.
How can I assign application specific rights to existing domain users?

Thanks in advance.

you can create a database containing user IDs and roles.

in global.asax you can use these roles as per example

Sub Application_AuthenticateRequest(ByVal sender As Object, ByVal e As
EventArgs)

If Request.IsAuthenticated Then

' Get data from the database. E.g. select roles from users where
username=Context.User.Identity.Name
Dim roles() As String = GetMyUserRoles(Context.User.Identity.Name)

' Add our own custom principal to the request containing the roles in
the auth ticket
Context.User = New GenericPrincipal(Context.User.Identity, roles)

End If

End Sub

 

[Kursat]

Hi Alexey,
If I use seperate database for my application users how can I keep my
database in sync with Active Directory?

 

[Guest]

Hi Alexey,
If I use seperate database for my application users how can I keep my
database in sync with Active Directory?

I think, there are two points to mention. The first is the place where
you manage your users and rights. The second one is an authorization
process. Do you need to authorize a user based on his/her rights from
the Active Directory or you only have his/her user id?

The user information (and roles) comes out of the Active Directory,
you can either use

User.IsInRole() property

or

you can congifure web.config

<allow roles="PC\group" />

etc

 

[Guest]

I think, there are two points to mention. The first is the place where
you manage your users and rights. The second one is an authorization
process. Do you need to authorize a user based on his/her rights from
the Active Directory or you only have his/her user id?

The user information (and roles) comes out of the Active Directory,
you can either use

I mean

If the user information (and roles) comes out of the Active
Directory...

 

[Kursat]

Alexey, hanks for your replay.

I determined some application specific roles based on operations and
resource access rights and want to build a generic security framework which
can work integrated with Active Directory. So I should consider using domain
groups as roles. The main problem is that we generally have more detailed
roles than our customer's domain groups. So some new groups should be
created at customer's side to satisfy our(not our but their indeed!)
security needs. But customers resist to modify their directory structure to
get worked every single application. Then how can I realize goals below with
the problem in hand?

- Every users will authenticate using their domain user information
- Authorization based on application specific roles while it is impossible
to create a new domain group for every role.

I know I should use seperate store to assign users to roles but how can I
keep this store and Active Directory synchronized? How can I get notified If
a user in one of my roles is deleted from Active Diretory?

 

[Kursat]

Alexey, hanks for your replay.

I determined some application specific roles based on operations and
resource access rights and want to build a generic security framework which
can work integrated with Active Directory. So I should consider using domain
groups as roles. The main problem is that we generally have more detailed
roles than our customer's domain groups. So some new groups should be
created at customer's side to satisfy our(not our but their indeed!)
security needs. But customers resist to modify their directory structure to
get worked every single application. Then how can I realize goals below with
the problem in hand?

- Every users will authenticate using their domain user information
- Authorization based on application specific roles while it is impossible
to create a new domain group for every role.

I know I should use seperate store to assign users to roles but how can I
keep this store and Active Directory synchronized? How can I get notified If
a user in one of my roles is deleted from Active Diretory?

 

[Guest]

Alexey, hanks for your replay.

I determined some application specific roles based on operations and
resource access rights and want to build a generic security framework which
can work integrated with Active Directory. So I should consider using domain
groups as roles. The main problem is that we generally have more detailed
roles than our customer's domain groups. So some new groups should be
created at customer's side to satisfy our(not our but their indeed!)
security needs. But customers resist to modify their directory structure to
get worked every single application. Then how can I realize goals below with
the problem in hand?

- Every users will authenticate using their domain user information
- Authorization based on application specific roles while it is impossible
to create a new domain group for every role.

I know I should use seperate store to assign users to roles but how can I
keep this store and Active Directory synchronized? How can I get notified If
a user in one of my roles is deleted from Active Diretory?

To be synchronized is not a problem, you can have a scheduled job to
check that on a regular basis.

However, I think you can consider the code from my first answer and
try to follow it. When you creating a new auth ticket you can join
your "database" roles with the AD-groups. All what has to be added
there is an enumeration of AD-groups and adding them into a roles()
array.