If i want to generate a menu structure depending on who is logged in
in an intranet system(using windows authentication) is it better to use the
GROUPS in Active Directory
or to move the Active Directory groups into a Sql Server database and base
the authrorization and authentication on the SQL Server roles/groups?
Whats the best way to make use of the GROUPS in active directory to
authorize
users apart from using web.config where you have to set it configuratively
like below(but i don't want this)
<authorization>
<allow roles="DOMAIN\HRUsers" />
<deny users="*" />
</authorization>
This works if i want to deny users who are not part of the GROUP
"HRUSERS"(Which just denies the URL .aspx page)
Is it possible to store/collect all the Active Directory groups and use it
in code to validate against USERS?
(Apart from storing it in SQL server?)
or
programmatically by doing :-
If Not (User.IsInRole("HR")) And Not (User.IsInRole("Managers")) Then
' Display the Button
Else
' Don't display it!
End If
The badside to these methods is that if you are calling a method several
times from different applications, you will need to repeat the logic all
the time. How can i do it declaratively using Active Directory.
I know if i use a database with stored procedures that would be a benefit.
Any thoughts? 4 2328
Some thoughts:
I'd leave the groups in Active Directory. Administrators become
unhappy when they have to update authorization rules in two places :)
IsInRole works very well for programmatic checks.
Have you looked at the security trimming feature of the ASP.NET 2.0
navigation system? Or is this in 1.1?
--
Scott http://www.OdeToCode.com/blogs/scott/
On Fri, 4 Nov 2005 20:25:37 +1100, "Patrick.O.Ige"
<pa********@optusnet.com.au> wrote: If i want to generate a menu structure depending on who is logged in in an intranet system(using windows authentication) is it better to use the GROUPS in Active Directory or to move the Active Directory groups into a Sql Server database and base the authrorization and authentication on the SQL Server roles/groups? Whats the best way to make use of the GROUPS in active directory to authorize users apart from using web.config where you have to set it configuratively like below(but i don't want this) <authorization> <allow roles="DOMAIN\HRUsers" /> <deny users="*" /> </authorization> This works if i want to deny users who are not part of the GROUP "HRUSERS"(Which just denies the URL .aspx page) Is it possible to store/collect all the Active Directory groups and use it in code to validate against USERS? (Apart from storing it in SQL server?)
or programmatically by doing :- If Not (User.IsInRole("HR")) And Not (User.IsInRole("Managers")) Then ' Display the Button Else ' Don't display it! End If The badside to these methods is that if you are calling a method several times from different applications, you will need to repeat the logic all the time. How can i do it declaratively using Active Directory. I know if i use a database with stored procedures that would be a benefit. Any thoughts?
We use Authorization Manager (available standard in Windows 2003 and as
a download for Windows 2000) which takes the whole role management
thing out of the application altogether.
You still organize authorization by users and roles and such, and it
links into Active Directory, but what it boils down to in the
application code is a check for a certain task or operation and if the
current user is allowed to do that or not
Authorization.CheckAccess("taskIdentifier",current Identity) as Boolean
You define the task identifier strings in Authorization Manager (AzMan)
as a developer task, then assigning all the permissions to those tasks,
organizing them into roles and such, becomes an administrative
function. The real benefit here is that you can change what it means to
be a member of "Admins" or "Managers" outside of the application, and
the app behaves accordingly, without a recompile.
So, when you build your menu structure, call the authorization manager
for each menu item (use a nice naming convention that corresponds to
the tasks defined in AzMan) and ask if the current user is allowed to
do that task or not, and decide to add it to the menu structure or not
(or enable/disable).
Enterprise Library has an authorization piece that leverages AzMan.
There are lots of samples out there if you google AzMan and .NET or C#.
Mike
I know that its actually like re inventineg the wheel.
I don't think the trimming navigation system is in ASP.NET 1.1.
In 2.0 i think.
Thx Scott
I'm looking at using Authorization Manager if all goes well
"Scott Allen" <sc***@nospam.odetocode.com> wrote in message
news:9f********************************@4ax.com... Some thoughts: t I'd leave the groups in Active Directory. Administrators become unhappy when they have to update authorization rules in two places :) IsInRole works very well for programmatic checks.
Have you looked at the security trimming feature of the ASP.NET 2.0 navigation system? Or is this in 1.1?
-- Scott http://www.OdeToCode.com/blogs/scott/
On Fri, 4 Nov 2005 20:25:37 +1100, "Patrick.O.Ige" <pa********@optusnet.com.au> wrote:
If i want to generate a menu structure depending on who is logged in in an intranet system(using windows authentication) is it better to use
theGROUPS in Active Directory or to move the Active Directory groups into a Sql Server database and
basethe authrorization and authentication on the SQL Server roles/groups? Whats the best way to make use of the GROUPS in active directory to authorize users apart from using web.config where you have to set it
configurativelylike below(but i don't want this) <authorization> <allow roles="DOMAIN\HRUsers" /> <deny users="*" /> </authorization> This works if i want to deny users who are not part of the GROUP "HRUSERS"(Which just denies the URL .aspx page) Is it possible to store/collect all the Active Directory groups and use
itin code to validate against USERS? (Apart from storing it in SQL server?)
or programmatically by doing :- If Not (User.IsInRole("HR")) And Not (User.IsInRole("Managers")) Then ' Display the Button Else ' Don't display it! End If The badside to these methods is that if you are calling a method several times from different applications, you will need to repeat the logic all the time. How can i do it declaratively using Active Directory. I know if i use a database with stored procedures that would be a
benefit.Any thoughts?
Mike thx alot fr the reply.
I will look into using this .Well the good things is that i can use it on
Win 2000 beacuse i don't think they have WIN2003 yet.
Patrick
"xhead" <xh******@gmail.com> wrote in message
news:11**********************@g14g2000cwa.googlegr oups.com... We use Authorization Manager (available standard in Windows 2003 and as a download for Windows 2000) which takes the whole role management thing out of the application altogether.
You still organize authorization by users and roles and such, and it links into Active Directory, but what it boils down to in the application code is a check for a certain task or operation and if the current user is allowed to do that or not
Authorization.CheckAccess("taskIdentifier",current Identity) as Boolean
You define the task identifier strings in Authorization Manager (AzMan) as a developer task, then assigning all the permissions to those tasks, organizing them into roles and such, becomes an administrative function. The real benefit here is that you can change what it means to be a member of "Admins" or "Managers" outside of the application, and the app behaves accordingly, without a recompile.
So, when you build your menu structure, call the authorization manager for each menu item (use a nice naming convention that corresponds to the tasks defined in AzMan) and ask if the current user is allowed to do that task or not, and decide to add it to the menu structure or not (or enable/disable).
Enterprise Library has an authorization piece that leverages AzMan. There are lots of samples out there if you google AzMan and .NET or C#.
Mike This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Jay Chan |
last post by:
We have just installed a SQL Server 2000 (SP 3A) onto a computer that
has Windows-2003 Server on it. Now, we cannot get access to that
database server from other computers. Seem like this may be an...
|
by: microsoft |
last post by:
Hi People, when I try to modify an active directory user programatically, I
receive the following exception:
The server is unwilling to process the request
Reading the microsoft web site, I...
|
by: Andrew |
last post by:
Hey all,
Working on revamping our Intranet here and making use of the LDPA, Active
Directory, Directory Services, etc. that .Net provides. I am still fairly
new on this subject, so the problem...
|
by: Patrick |
last post by:
I have an ASP.NET page that searches for someone in the corporate Active
Directory.
It had been working fine until recently when I changed from Basic
Authentication on IIS6 back to Integrated...
|
by: Hriday |
last post by:
Hi there, Please help me..It is urgent
This is Hriday, working on windows authentication with
Active Directory...
My requirment is when a user sends a request to my web
Applicatoin I want to...
|
by: RTT |
last post by:
here is my current situation. I develop a program on my computer's
localhost. From there i contact Active directory succesfull using a
connectionstring like:...
|
by: Lucky |
last post by:
Hi guys,
after long long time. i'm back again with another problem. this time i
think the problem is very very interesting and i really need you help
on this.
i'm trying to connect to the...
|
by: JamieHowarth0 |
last post by:
Hi guys,
Up until 3 weeks ago I was running a Microsoft Windows Server 2003 R2 Enterprise Edition Beta from home on an ADSL connection with dynamic IP absolutely fine - until the beta decided to...
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
| |