Role of current windows login user

Role is a pretty general term. Most Role-based concepts in .NET equate Roles
to Groups. E.g. PrincipalPermis sion and IPrincipal.IsIn Role use Groups as
Roles.

--
http://www.peterRitchie.com/
"Mark White" wrote:

Hey everyone

I'm having a great deal of problems finding this information through google
and yahoo, so I turn to you on this.

I have a Windows app running on XP. I am able to caputre the user's Name
property in the WindowsPrincipa l's IIdentity interface.

Where can I find the role that the user is assigned for the current login?
I only want the one role which is assigned for the current user, not all of
the groups in which the user belongs (that is working fine).

Do I have to actually test out permissions on files/objects to find the
current role/group? Seems to be a lot of work going that route for
something which should be accessible in the same interface as Name. Why
isn't it?

I'm on 1.1 btw. Has this changed in 2.0?

Mark,
WindowsIdentity has the IsAnonymous, IsAuthenticated , IsGuest, IsSystem and
Name properties.

You can enumerate roles by using a little reflection:

private void Form1_Load(obje ct sender, System.EventArg s e)
{
WindowsIdentity id = WindowsIdentity .GetCurrent();
Type idType ;
idType = id.GetType();
object result =
idType.InvokeMe mber("_GetRoles ", BindingFlags.St atic |
BindingFlags.In vokeMethod |
BindingFlags.No nPublic, null, id, new Object[] {id.Token}, null);
string[] roles = (string[])result;
int i;
for( i = 0; i<roles.Length ;i++)
Console.WriteLi ne(roles[i]);
}
--
Co-founder, Eggheadcafe.com developer portal:
http://www.eggheadcafe.com
UnBlog:
http://petesbloggerama.blogspot.com


"Mark White" wrote:

Hey everyone

I'm having a great deal of problems finding this information through google
and yahoo, so I turn to you on this.

I have a Windows app running on XP. I am able to caputre the user's Name
property in the WindowsPrincipa l's IIdentity interface.

Where can I find the role that the user is assigned for the current login?
I only want the one role which is assigned for the current user, not all of
the groups in which the user belongs (that is working fine).

Do I have to actually test out permissions on files/objects to find the
current role/group? Seems to be a lot of work going that route for
something which should be accessible in the same interface as Name. Why
isn't it?

I'm on 1.1 btw. Has this changed in 2.0?

Thank you in advance for any help you can give me.

Mark White

"Mark White" <ma*******@yaho o.com> wrote in message
news:%2******** ********@TK2MSF TNGP11.phx.gbl. ..
| Hey everyone
|
| I'm having a great deal of problems finding this information through
google
| and yahoo, so I turn to you on this.
|
| I have a Windows app running on XP. I am able to caputre the user's Name
| property in the WindowsPrincipa l's IIdentity interface.
|
| Where can I find the role that the user is assigned for the current login?
| I only want the one role which is assigned for the current user, not all
of
| the groups in which the user belongs (that is working fine).
|
| Do I have to actually test out permissions on files/objects to find the
| current role/group? Seems to be a lot of work going that route for
| something which should be accessible in the same interface as Name. Why
| isn't it?
|
| I'm on 1.1 btw. Has this changed in 2.0?
|
| Thank you in advance for any help you can give me.
|
| Mark White
|
|

Roles are not meant to check/control resource access permissions, they are
meant for program access/flow control. These are totally different things.

if(myPrincipal. IsInRole("Sales "))
{
// Do whatever "Sales" is allowed to do, initialize the UI etc...
}
else
if((myPrincipal .IsInRole("Acco untManagers"))
// do whatever "AccountMAnager s" are allowed to do.

Resources like file and directory object permissions are checked when a user
opens the resource, this is the task of the OS and (in general) not the task
of an application program. Note that V2.0 includes managed classes that
wraps the object security access API's in Win32 by means of
System.Security .AccessControl classes, v1.1 user can achieve the same using
System.Director yServices and some ADSI stuff or by using the
System.Manageme nt and WMI classes.

Willy.

Peter

Thanks for replying. I ran your code, and it worked great. But, it doesn't
tell me which role/group the user is currently assigned for that session.

Am I misunderstandin g how roles/groups are assigned when booting up? Does
the user get assigned one role/group when logging in or does the user have
the highest permission set of of all the groups?

Or the files/apps are only permitted by certain groups/roles, and unless the
user belongs to that group, no access?

I have code that enumerates the built-in roles and it seems to work well.
But it can only check if it IsInRole. Peter, your code is much better than
what I have though.

How can I get the current (1) role/group the logged in user is assigned?

Again, thank you for the help.

Mark
"Peter Bromberg [C# MVP]" <pb*******@yaho o.nospammin.com > wrote in message
news:AB******** *************** ***********@mic rosoft.com...

Mark,
WindowsIdentity has the IsAnonymous, IsAuthenticated , IsGuest, IsSystem and Name properties.

You can enumerate roles by using a little reflection:

private void Form1_Load(obje ct sender, System.EventArg s e)
{
WindowsIdentity id = WindowsIdentity .GetCurrent();
Type idType ;
idType = id.GetType();
object result =
idType.InvokeMe mber("_GetRoles ", BindingFlags.St atic |
BindingFlags.In vokeMethod |
BindingFlags.No nPublic, null, id, new Object[] {id.Token}, null);
string[] roles = (string[])result;
int i;
for( i = 0; i<roles.Length ;i++)
Console.WriteLi ne(roles[i]);
}
--
Co-founder, Eggheadcafe.com developer portal:
http://www.eggheadcafe.com
UnBlog:
http://petesbloggerama.blogspot.com


"Mark White" wrote:

Hey everyone

I'm having a great deal of problems finding this information through google and yahoo, so I turn to you on this.

I have a Windows app running on XP. I am able to caputre the user's Name property in the WindowsPrincipa l's IIdentity interface.

Where can I find the role that the user is assigned for the current login? I only want the one role which is assigned for the current user, not all of the groups in which the user belongs (that is working fine).

Do I have to actually test out permissions on files/objects to find the
current role/group? Seems to be a lot of work going that route for
something which should be accessible in the same interface as Name. Why
isn't it?

I'm on 1.1 btw. Has this changed in 2.0?

Thank you in advance for any help you can give me.

Mark White

Willy

Thank you for taking the time to explain that. I do appreciate it.

As you can see, my knowledge of the actual plumbing underneath permissions
leaves a bit to be desired. I've never had a need to know it, until now.

Mark

"Willy Denoyette [MVP]" <wi************ *@telenet.be> wrote in message
news:%2******** ********@TK2MSF TNGP11.phx.gbl. ..

"Mark White" <ma*******@yaho o.com> wrote in message
news:%2******** ********@TK2MSF TNGP11.phx.gbl. ..
| Hey everyone
|
| I'm having a great deal of problems finding this information through
google
| and yahoo, so I turn to you on this.
|
| I have a Windows app running on XP. I am able to caputre the user's Name | property in the WindowsPrincipa l's IIdentity interface.
|
| Where can I find the role that the user is assigned for the current login? | I only want the one role which is assigned for the current user, not all
of
| the groups in which the user belongs (that is working fine).
|
| Do I have to actually test out permissions on files/objects to find the
| current role/group? Seems to be a lot of work going that route for
| something which should be accessible in the same interface as Name. Why
| isn't it?
|
| I'm on 1.1 btw. Has this changed in 2.0?
|
| Thank you in advance for any help you can give me.
|
| Mark White
|
|

Roles are not meant to check/control resource access permissions, they are
meant for program access/flow control. These are totally different things.

if(myPrincipal. IsInRole("Sales "))
{
// Do whatever "Sales" is allowed to do, initialize the UI etc...
}
else
if((myPrincipal .IsInRole("Acco untManagers"))
// do whatever "AccountMAnager s" are allowed to do.

Resources like file and directory object permissions are checked when a user opens the resource, this is the task of the OS and (in general) not the task of an application program. Note that V2.0 includes managed classes that
wraps the object security access API's in Win32 by means of
System.Security .AccessControl classes, v1.1 user can achieve the same using System.Director yServices and some ADSI stuff or by using the
System.Manageme nt and WMI classes.

Willy.

One other question.

This was on a "skills test". The time has passed, and I'm not interested in
seeing any code. Just trying to make sense of this.

One of the requirements was to "display the role of the current logged in
user".

This was the test from the tech. manager. Unless it's a typo, shouldn't it
be role(s)?

Thanks.
"Willy Denoyette [MVP]" <wi************ *@telenet.be> wrote in message
news:%2******** ********@TK2MSF TNGP11.phx.gbl. ..

"Mark White" <ma*******@yaho o.com> wrote in message
news:%2******** ********@TK2MSF TNGP11.phx.gbl. ..
| Hey everyone
|
| I'm having a great deal of problems finding this information through
google
| and yahoo, so I turn to you on this.
|
| I have a Windows app running on XP. I am able to caputre the user's Name | property in the WindowsPrincipa l's IIdentity interface.
|
| Where can I find the role that the user is assigned for the current login? | I only want the one role which is assigned for the current user, not all
of
| the groups in which the user belongs (that is working fine).
|
| Do I have to actually test out permissions on files/objects to find the
| current role/group? Seems to be a lot of work going that route for
| something which should be accessible in the same interface as Name. Why
| isn't it?
|
| I'm on 1.1 btw. Has this changed in 2.0?
|
| Thank you in advance for any help you can give me.
|
| Mark White
|
|

Roles are not meant to check/control resource access permissions, they are
meant for program access/flow control. These are totally different things.

if(myPrincipal. IsInRole("Sales "))
{
// Do whatever "Sales" is allowed to do, initialize the UI etc...
}
else
if((myPrincipal .IsInRole("Acco untManagers"))
// do whatever "AccountMAnager s" are allowed to do.

Resources like file and directory object permissions are checked when a user opens the resource, this is the task of the OS and (in general) not the task of an application program. Note that V2.0 includes managed classes that
wraps the object security access API's in Win32 by means of
System.Security .AccessControl classes, v1.1 user can achieve the same using System.Director yServices and some ADSI stuff or by using the
System.Manageme nt and WMI classes.

Willy.

Well, as Windows based 'roles' are mapped to "Windows security group"
membership, and because a user can be a member of more than one security
group, it should be role(s).
Take a user "Bob", which is a member of both 'SalesDpt' and 'AccountMgrs',
Bob is automatically assigned both roles. In your code you can execute
different paths depending on whether he's an account manager or just a
generic member of a sales department.
Note that enumerating user groups (roles) by reflecting private methods like
shown by Peter, is NOT the way you should go, this code is non-portable and
fails on v2. The only right way to enumerate user groups is by using the
System.Director yServices classes.

Willy.

"Mark White" <ma*******@yaho o.com> wrote in message
news:%2******** ********@TK2MSF TNGP09.phx.gbl. ..
| One other question.
|
| This was on a "skills test". The time has passed, and I'm not interested
in
| seeing any code. Just trying to make sense of this.
|
| One of the requirements was to "display the role of the current logged in
| user".
|
| This was the test from the tech. manager. Unless it's a typo, shouldn't
it
| be role(s)?
|
| Thanks.
| "Willy Denoyette [MVP]" <wi************ *@telenet.be> wrote in message
| news:%2******** ********@TK2MSF TNGP11.phx.gbl. ..
| >
| > "Mark White" <ma*******@yaho o.com> wrote in message
| > news:%2******** ********@TK2MSF TNGP11.phx.gbl. ..
| > | Hey everyone
| > |
| > | I'm having a great deal of problems finding this information through
| > google
| > | and yahoo, so I turn to you on this.
| > |
| > | I have a Windows app running on XP. I am able to caputre the user's
| Name
| > | property in the WindowsPrincipa l's IIdentity interface.
| > |
| > | Where can I find the role that the user is assigned for the current
| login?
| > | I only want the one role which is assigned for the current user, not
all
| > of
| > | the groups in which the user belongs (that is working fine).
| > |
| > | Do I have to actually test out permissions on files/objects to find
the
| > | current role/group? Seems to be a lot of work going that route for
| > | something which should be accessible in the same interface as Name.
Why
| > | isn't it?
| > |
| > | I'm on 1.1 btw. Has this changed in 2.0?
| > |
| > | Thank you in advance for any help you can give me.
| > |
| > | Mark White
| > |
| > |
| >
| > Roles are not meant to check/control resource access permissions, they
are
| > meant for program access/flow control. These are totally different
things.
| >
| > if(myPrincipal. IsInRole("Sales "))
| > {
| > // Do whatever "Sales" is allowed to do, initialize the UI etc...
| > }
| > else
| > if((myPrincipal .IsInRole("Acco untManagers"))
| > // do whatever "AccountMAnager s" are allowed to do.
| >
| > Resources like file and directory object permissions are checked when a
| user
| > opens the resource, this is the task of the OS and (in general) not the
| task
| > of an application program. Note that V2.0 includes managed classes that
| > wraps the object security access API's in Win32 by means of
| > System.Security .AccessControl classes, v1.1 user can achieve the same
| using
| > System.Director yServices and some ADSI stuff or by using the
| > System.Manageme nt and WMI classes.
| >
| > Willy.
| >
| >
|
|

Thanks, the ability to belong to more than one group and the stated "role of
current logged in user" threw me off.

As I mentioned in the OP, I am able to check which role(s) the user belongs
to. Not what the requirement stated, but cool nonetheless. If anything, it
led me down this path to understand it better.

I haven't started yet on 2.0 (XP Pro SP2 network issues), but the
WindowsBuiltInR ole enumeration is available in 2.0 from a quick msdn2
search. This is only the common groups installed on a Windows system.

Thanks for the help. Happy MLK day.

Mark
"Willy Denoyette [MVP]" <wi************ *@telenet.be> wrote in message
news:Oi******** ******@TK2MSFTN GP15.phx.gbl...

Well, as Windows based 'roles' are mapped to "Windows security group"
membership, and because a user can be a member of more than one security
group, it should be role(s).
Take a user "Bob", which is a member of both 'SalesDpt' and 'AccountMgrs',
Bob is automatically assigned both roles. In your code you can execute
different paths depending on whether he's an account manager or just a
generic member of a sales department.
Note that enumerating user groups (roles) by reflecting private methods like shown by Peter, is NOT the way you should go, this code is non-portable and fails on v2. The only right way to enumerate user groups is by using the
System.Director yServices classes.

Willy.

"Mark White" <ma*******@yaho o.com> wrote in message
news:%2******** ********@TK2MSF TNGP09.phx.gbl. ..
| One other question.
|
| This was on a "skills test". The time has passed, and I'm not interested in
| seeing any code. Just trying to make sense of this.
|
| One of the requirements was to "display the role of the current logged in | user".
|
| This was the test from the tech. manager. Unless it's a typo, shouldn't
it
| be role(s)?
|
| Thanks.
| "Willy Denoyette [MVP]" <wi************ *@telenet.be> wrote in message
| news:%2******** ********@TK2MSF TNGP11.phx.gbl. ..
| >
| > "Mark White" <ma*******@yaho o.com> wrote in message
| > news:%2******** ********@TK2MSF TNGP11.phx.gbl. ..
| > | Hey everyone
| > |
| > | I'm having a great deal of problems finding this information through
| > google
| > | and yahoo, so I turn to you on this.
| > |
| > | I have a Windows app running on XP. I am able to caputre the user's
| Name
| > | property in the WindowsPrincipa l's IIdentity interface.
| > |
| > | Where can I find the role that the user is assigned for the current
| login?
| > | I only want the one role which is assigned for the current user, not
all
| > of
| > | the groups in which the user belongs (that is working fine).
| > |
| > | Do I have to actually test out permissions on files/objects to find
the
| > | current role/group? Seems to be a lot of work going that route for
| > | something which should be accessible in the same interface as Name.
Why
| > | isn't it?
| > |
| > | I'm on 1.1 btw. Has this changed in 2.0?
| > |
| > | Thank you in advance for any help you can give me.
| > |
| > | Mark White
| > |
| > |
| >
| > Roles are not meant to check/control resource access permissions, they
are
| > meant for program access/flow control. These are totally different
things.
| >
| > if(myPrincipal. IsInRole("Sales "))
| > {
| > // Do whatever "Sales" is allowed to do, initialize the UI etc...
| > }
| > else
| > if((myPrincipal .IsInRole("Acco untManagers"))
| > // do whatever "AccountMAnager s" are allowed to do.
| >
| > Resources like file and directory object permissions are checked when a | user
| > opens the resource, this is the task of the OS and (in general) not the | task
| > of an application program. Note that V2.0 includes managed classes that | > wraps the object security access API's in Win32 by means of
| > System.Security .AccessControl classes, v1.1 user can achieve the same
| using
| > System.Director yServices and some ADSI stuff or by using the
| > System.Manageme nt and WMI classes.
| >
| > Willy.
| >
| >
|
|