Okay the subject line explains a scenario I just had to tackle but I am
looking for a better way.
The current way:
1) Use forms authentication.
2) Query Active Directory and bind to a user object if no exception create
custom authentication ticket.
3) But I also needed Role based security within the app. So I used SQL
server 2k DTS package to get the members of the AD group and then created a
notification system to the application security administrator about a new
user if the user was not configured. The security administrator could then
log into the application and Activate the account. The user is notified when
they log in whether there account is "not activated", "pending activation".
What I need to know:
If there a way I can use AD authentication with forms authentication and
have role based security without maintaining a seperate db. For example, if
I had 2 AD groups how would I assign each group to a role.
Select Case, If/then, hopefully you get my drift.
The company I work for has a security team that manages all changes and
account request in AD. So it is difficult sometimes to convince them I have
4 roles for an application so I need 4 groups whether they be nested or not.
thanks
Marty
4  2262 
"Marty Underwood" <ma********@insightbb.com> wrote in message
news:tWEnb.53544$e01.137681@attbi_s02... Okay the subject line explains a scenario I just had to tackle but I am
looking for a better way.
The current way:
1) Use forms authentication.
2) Query Active Directory and bind to a user object if no exception create
custom authentication ticket.
3) But I also needed Role based security within the app. So I used SQL
server 2k DTS package to get the members of the AD group and then created
a notification system to the application security administrator about a new
user if the user was not configured. The security administrator could then
log into the application and Activate the account. The user is notified
when they log in whether there account is "not activated", "pending
activation".
What I need to know:
If there a way I can use AD authentication with forms authentication and
have role based security without maintaining a seperate db. For example,
if I had 2 AD groups how would I assign each group to a role.
Select Case, If/then, hopefully you get my drift.
The company I work for has a security team that manages all changes and
account request in AD. So it is difficult sometimes to convince them I
have 4 roles for an application so I need 4 groups whether they be nested or
not.
Marty, I don't understand: what's wrong with treating groups as roles?
--
John
Hey John, it's not that there is anything wrong the problem comes when
determining which groups a person is a member of and then assigning them to
a role. Keep in mind some of these people may be a member of 20 or 30 groups
for the organization. I really hate to get the groups, drop groups into an
array and then for/next through each one to assign a role.
Alot of overhead I think can be prevented I just can't think of the simplest
way.
Basically, my question is this, if I have 4 AD groups because I need 4
roles, how do I assign that person to a role when that person may be a
member of 50 plus groups.
Thanks
"John Saunders" <john.saunders at surfcontrol.com> wrote in message
news:%2****************@tk2msftngp13.phx.gbl... "Marty Underwood" <ma********@insightbb.com> wrote in message
news:tWEnb.53544$e01.137681@attbi_s02... Okay the subject line explains a scenario I just had to tackle but I am
looking for a better way.
The current way:
1) Use forms authentication.
2) Query Active Directory and bind to a user object if no exception
create custom authentication ticket.
3) But I also needed Role based security within the app. So I used SQL
server 2k DTS package to get the members of the AD group and then
created a notification system to the application security administrator about a
new user if the user was not configured. The security administrator could
then log into the application and Activate the account. The user is notified
when they log in whether there account is "not activated", "pending
activation".
What I need to know:
If there a way I can use AD authentication with forms authentication and
have role based security without maintaining a seperate db. For example,
if I had 2 AD groups how would I assign each group to a role.
Select Case, If/then, hopefully you get my drift.
The company I work for has a security team that manages all changes and
account request in AD. So it is difficult sometimes to convince them I
have 4 roles for an application so I need 4 groups whether they be nested or
not.
Marty, I don't understand: what's wrong with treating groups as roles?
--
John
"Marty Underwood" <ma********@insightbb.com> wrote in message
news:peWnb.58876$HS4.302857@attbi_s01... Hey John, it's not that there is anything wrong the problem comes when
determining which groups a person is a member of and then assigning them
to a role. Keep in mind some of these people may be a member of 20 or 30
groups for the organization. I really hate to get the groups, drop groups into an
array and then for/next through each one to assign a role.
Alot of overhead I think can be prevented I just can't think of the
simplest way.
Basically, my question is this, if I have 4 AD groups because I need 4
roles, how do I assign that person to a role when that person may be a
member of 50 plus groups.
I haven't done much AD programming, so maybe I'm missing something obvious.
But how about getting the list of AD groups the user is in from AD and
putting it into an array and sorting it, and using binary search on the
sorted array to look up all the AD groups which correspond to your roles?
Or how about just adding all the AD groups as roles? The ones which don't
correspond to roles won't hurt anything (except to make the list of roles
larger).
I just don't see much room for doing something much different: you've got
two lists of "group-like objects". Either they're from the same set and you
use them as is, or they're from different sets and you need to find the
correspondence.
--
John
"John Saunders" <john.saunders at surfcontrol.com> wrote in message
news:um**************@TK2MSFTNGP10.phx.gbl... "Marty Underwood" <ma********@insightbb.com> wrote in message
news:peWnb.58876$HS4.302857@attbi_s01... Hey John, it's not that there is anything wrong the problem comes when
determining which groups a person is a member of and then assigning them to a role. Keep in mind some of these people may be a member of 20 or 30
groups for the organization. I really hate to get the groups, drop groups into
an array and then for/next through each one to assign a role.
Alot of overhead I think can be prevented I just can't think of the
simplest way.
Basically, my question is this, if I have 4 AD groups because I need 4
roles, how do I assign that person to a role when that person may be a
member of 50 plus groups.
I haven't done much AD programming, so maybe I'm missing something
obvious. But how about getting the list of AD groups the user is in from AD and
putting it into an array and sorting it, and using binary search on the
sorted array to look up all the AD groups which correspond to your roles?
Or how about just adding all the AD groups as roles? The ones which don't
correspond to roles won't hurt anything (except to make the list of roles
larger).
I just don't see much room for doing something much different: you've got
two lists of "group-like objects". Either they're from the same set and
you use them as is, or they're from different sets and you need to find the
correspondence.
--
John
Long last couple of days, what you say is what I have to do. I was just
working on 3 different projects at the same time and guess I got my mind
sidetracked. I thought about a different way and that is to check the
members of a group against a username and see if that person is a member of
the group instead checking the groups that person is a member of.
Thanks for your time
Marty This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: naijacoder naijacoder |
last post by:
Hi Everyone,
I have some Questions relating to Active Directory and
Asp.net.
1)I have created a role based authorisation using SQL Server but i want
to use
Active Directory as a datastore now?...
|
by: Nick |
last post by:
I am working a new application...well actually a series of applications for
my company. They want internal users to be able to go to a site and
everything regarding security is transparent,...
|
by: ElmoWatson |
last post by:
I tried on the Security newgroup, as well as other places, and haven't
gotten an answer yet - - I'm pulling my hair out over this one.
I'm trying to get Forms Authentication working.....I can get...
|
by: Kris van der Mast |
last post by:
Hi,
I've created a little site for my sports club. In the root folder there are
pages that are viewable by every anonymous user but at a certain subfolder
my administration pages should be...
|
by: V. Jenks |
last post by:
Using forms authentication, can I control which pages
and/or directories a user would have access to or is that
only available with Windows authentication?
Thanks!
|
by: Nicolas Bottarini |
last post by:
Hi!!
I have a site with a backend subdirectory with the backend of the site.
I need that the site to have one login and the backend directory
another one. Is this possible with Forms...
|
by: Eric |
last post by:
I trying to setup an intranet based on windows NT groups or roles.
I have used windows integrated authentication with impersonation first
but this include to use a user to access the database.
I...
|
by: Rory Becker |
last post by:
Having now created a Custom MembershipProvider that seems to work correctly
with my Logon and ChangePassword controls, I am, as they say, a happy bunny.
The next stange is to move on to the...
|
by: Sean |
last post by:
Hi, I've taken over a website, which has an admin section that is
currently open. I added Forms Authentication to the admin directory
with the using the location section in web.config:
...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
