By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
443,889 Members | 1,358 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 443,889 IT Pros & Developers. It's quick & easy.

Role of current windows login user

P: n/a
Hey everyone

I'm having a great deal of problems finding this information through google
and yahoo, so I turn to you on this.

I have a Windows app running on XP. I am able to caputre the user's Name
property in the WindowsPrincipal's IIdentity interface.

Where can I find the role that the user is assigned for the current login?
I only want the one role which is assigned for the current user, not all of
the groups in which the user belongs (that is working fine).

Do I have to actually test out permissions on files/objects to find the
current role/group? Seems to be a lot of work going that route for
something which should be accessible in the same interface as Name. Why
isn't it?

I'm on 1.1 btw. Has this changed in 2.0?

Thank you in advance for any help you can give me.

Mark White
Jan 15 '06 #1
Share this Question
Share on Google+
8 Replies


P: n/a
Role is a pretty general term. Most Role-based concepts in .NET equate Roles
to Groups. E.g. PrincipalPermission and IPrincipal.IsInRole use Groups as
Roles.

--
http://www.peterRitchie.com/
"Mark White" wrote:
Hey everyone

I'm having a great deal of problems finding this information through google
and yahoo, so I turn to you on this.

I have a Windows app running on XP. I am able to caputre the user's Name
property in the WindowsPrincipal's IIdentity interface.

Where can I find the role that the user is assigned for the current login?
I only want the one role which is assigned for the current user, not all of
the groups in which the user belongs (that is working fine).

Do I have to actually test out permissions on files/objects to find the
current role/group? Seems to be a lot of work going that route for
something which should be accessible in the same interface as Name. Why
isn't it?

I'm on 1.1 btw. Has this changed in 2.0?


Jan 15 '06 #2

P: n/a
Mark,
WindowsIdentity has the IsAnonymous, IsAuthenticated, IsGuest, IsSystem and
Name properties.

You can enumerate roles by using a little reflection:

private void Form1_Load(object sender, System.EventArgs e)
{
WindowsIdentity id = WindowsIdentity.GetCurrent();
Type idType ;
idType = id.GetType();
object result =
idType.InvokeMember("_GetRoles", BindingFlags.Static |
BindingFlags.InvokeMethod |
BindingFlags.NonPublic, null, id, new Object[] {id.Token}, null);
string[] roles = (string[])result;
int i;
for( i = 0; i<roles.Length ;i++)
Console.WriteLine(roles[i]);
}
--
Co-founder, Eggheadcafe.com developer portal:
http://www.eggheadcafe.com
UnBlog:
http://petesbloggerama.blogspot.com


"Mark White" wrote:
Hey everyone

I'm having a great deal of problems finding this information through google
and yahoo, so I turn to you on this.

I have a Windows app running on XP. I am able to caputre the user's Name
property in the WindowsPrincipal's IIdentity interface.

Where can I find the role that the user is assigned for the current login?
I only want the one role which is assigned for the current user, not all of
the groups in which the user belongs (that is working fine).

Do I have to actually test out permissions on files/objects to find the
current role/group? Seems to be a lot of work going that route for
something which should be accessible in the same interface as Name. Why
isn't it?

I'm on 1.1 btw. Has this changed in 2.0?

Thank you in advance for any help you can give me.

Mark White

Jan 15 '06 #3

P: n/a

"Mark White" <ma*******@yahoo.com> wrote in message
news:%2****************@TK2MSFTNGP11.phx.gbl...
| Hey everyone
|
| I'm having a great deal of problems finding this information through
google
| and yahoo, so I turn to you on this.
|
| I have a Windows app running on XP. I am able to caputre the user's Name
| property in the WindowsPrincipal's IIdentity interface.
|
| Where can I find the role that the user is assigned for the current login?
| I only want the one role which is assigned for the current user, not all
of
| the groups in which the user belongs (that is working fine).
|
| Do I have to actually test out permissions on files/objects to find the
| current role/group? Seems to be a lot of work going that route for
| something which should be accessible in the same interface as Name. Why
| isn't it?
|
| I'm on 1.1 btw. Has this changed in 2.0?
|
| Thank you in advance for any help you can give me.
|
| Mark White
|
|

Roles are not meant to check/control resource access permissions, they are
meant for program access/flow control. These are totally different things.

if(myPrincipal.IsInRole("Sales"))
{
// Do whatever "Sales" is allowed to do, initialize the UI etc...
}
else
if((myPrincipal.IsInRole("AccountManagers"))
// do whatever "AccountMAnagers" are allowed to do.

Resources like file and directory object permissions are checked when a user
opens the resource, this is the task of the OS and (in general) not the task
of an application program. Note that V2.0 includes managed classes that
wraps the object security access API's in Win32 by means of
System.Security.AccessControl classes, v1.1 user can achieve the same using
System.DirectoryServices and some ADSI stuff or by using the
System.Management and WMI classes.

Willy.
Jan 15 '06 #4

P: n/a
Peter

Thanks for replying. I ran your code, and it worked great. But, it doesn't
tell me which role/group the user is currently assigned for that session.

Am I misunderstanding how roles/groups are assigned when booting up? Does
the user get assigned one role/group when logging in or does the user have
the highest permission set of of all the groups?

Or the files/apps are only permitted by certain groups/roles, and unless the
user belongs to that group, no access?

I have code that enumerates the built-in roles and it seems to work well.
But it can only check if it IsInRole. Peter, your code is much better than
what I have though.

How can I get the current (1) role/group the logged in user is assigned?

Again, thank you for the help.

Mark
"Peter Bromberg [C# MVP]" <pb*******@yahoo.nospammin.com> wrote in message
news:AB**********************************@microsof t.com...
Mark,
WindowsIdentity has the IsAnonymous, IsAuthenticated, IsGuest, IsSystem and Name properties.

You can enumerate roles by using a little reflection:

private void Form1_Load(object sender, System.EventArgs e)
{
WindowsIdentity id = WindowsIdentity.GetCurrent();
Type idType ;
idType = id.GetType();
object result =
idType.InvokeMember("_GetRoles", BindingFlags.Static |
BindingFlags.InvokeMethod |
BindingFlags.NonPublic, null, id, new Object[] {id.Token}, null);
string[] roles = (string[])result;
int i;
for( i = 0; i<roles.Length ;i++)
Console.WriteLine(roles[i]);
}
--
Co-founder, Eggheadcafe.com developer portal:
http://www.eggheadcafe.com
UnBlog:
http://petesbloggerama.blogspot.com


"Mark White" wrote:
Hey everyone

I'm having a great deal of problems finding this information through google and yahoo, so I turn to you on this.

I have a Windows app running on XP. I am able to caputre the user's Name property in the WindowsPrincipal's IIdentity interface.

Where can I find the role that the user is assigned for the current login? I only want the one role which is assigned for the current user, not all of the groups in which the user belongs (that is working fine).

Do I have to actually test out permissions on files/objects to find the
current role/group? Seems to be a lot of work going that route for
something which should be accessible in the same interface as Name. Why
isn't it?

I'm on 1.1 btw. Has this changed in 2.0?

Thank you in advance for any help you can give me.

Mark White

Jan 16 '06 #5

P: n/a
Willy

Thank you for taking the time to explain that. I do appreciate it.

As you can see, my knowledge of the actual plumbing underneath permissions
leaves a bit to be desired. I've never had a need to know it, until now.

Mark

"Willy Denoyette [MVP]" <wi*************@telenet.be> wrote in message
news:%2****************@TK2MSFTNGP11.phx.gbl...

"Mark White" <ma*******@yahoo.com> wrote in message
news:%2****************@TK2MSFTNGP11.phx.gbl...
| Hey everyone
|
| I'm having a great deal of problems finding this information through
google
| and yahoo, so I turn to you on this.
|
| I have a Windows app running on XP. I am able to caputre the user's Name | property in the WindowsPrincipal's IIdentity interface.
|
| Where can I find the role that the user is assigned for the current login? | I only want the one role which is assigned for the current user, not all
of
| the groups in which the user belongs (that is working fine).
|
| Do I have to actually test out permissions on files/objects to find the
| current role/group? Seems to be a lot of work going that route for
| something which should be accessible in the same interface as Name. Why
| isn't it?
|
| I'm on 1.1 btw. Has this changed in 2.0?
|
| Thank you in advance for any help you can give me.
|
| Mark White
|
|

Roles are not meant to check/control resource access permissions, they are
meant for program access/flow control. These are totally different things.

if(myPrincipal.IsInRole("Sales"))
{
// Do whatever "Sales" is allowed to do, initialize the UI etc...
}
else
if((myPrincipal.IsInRole("AccountManagers"))
// do whatever "AccountMAnagers" are allowed to do.

Resources like file and directory object permissions are checked when a user opens the resource, this is the task of the OS and (in general) not the task of an application program. Note that V2.0 includes managed classes that
wraps the object security access API's in Win32 by means of
System.Security.AccessControl classes, v1.1 user can achieve the same using System.DirectoryServices and some ADSI stuff or by using the
System.Management and WMI classes.

Willy.

Jan 16 '06 #6

P: n/a
One other question.

This was on a "skills test". The time has passed, and I'm not interested in
seeing any code. Just trying to make sense of this.

One of the requirements was to "display the role of the current logged in
user".

This was the test from the tech. manager. Unless it's a typo, shouldn't it
be role(s)?

Thanks.
"Willy Denoyette [MVP]" <wi*************@telenet.be> wrote in message
news:%2****************@TK2MSFTNGP11.phx.gbl...

"Mark White" <ma*******@yahoo.com> wrote in message
news:%2****************@TK2MSFTNGP11.phx.gbl...
| Hey everyone
|
| I'm having a great deal of problems finding this information through
google
| and yahoo, so I turn to you on this.
|
| I have a Windows app running on XP. I am able to caputre the user's Name | property in the WindowsPrincipal's IIdentity interface.
|
| Where can I find the role that the user is assigned for the current login? | I only want the one role which is assigned for the current user, not all
of
| the groups in which the user belongs (that is working fine).
|
| Do I have to actually test out permissions on files/objects to find the
| current role/group? Seems to be a lot of work going that route for
| something which should be accessible in the same interface as Name. Why
| isn't it?
|
| I'm on 1.1 btw. Has this changed in 2.0?
|
| Thank you in advance for any help you can give me.
|
| Mark White
|
|

Roles are not meant to check/control resource access permissions, they are
meant for program access/flow control. These are totally different things.

if(myPrincipal.IsInRole("Sales"))
{
// Do whatever "Sales" is allowed to do, initialize the UI etc...
}
else
if((myPrincipal.IsInRole("AccountManagers"))
// do whatever "AccountMAnagers" are allowed to do.

Resources like file and directory object permissions are checked when a user opens the resource, this is the task of the OS and (in general) not the task of an application program. Note that V2.0 includes managed classes that
wraps the object security access API's in Win32 by means of
System.Security.AccessControl classes, v1.1 user can achieve the same using System.DirectoryServices and some ADSI stuff or by using the
System.Management and WMI classes.

Willy.

Jan 16 '06 #7

P: n/a
Well, as Windows based 'roles' are mapped to "Windows security group"
membership, and because a user can be a member of more than one security
group, it should be role(s).
Take a user "Bob", which is a member of both 'SalesDpt' and 'AccountMgrs',
Bob is automatically assigned both roles. In your code you can execute
different paths depending on whether he's an account manager or just a
generic member of a sales department.
Note that enumerating user groups (roles) by reflecting private methods like
shown by Peter, is NOT the way you should go, this code is non-portable and
fails on v2. The only right way to enumerate user groups is by using the
System.DirectoryServices classes.

Willy.

"Mark White" <ma*******@yahoo.com> wrote in message
news:%2****************@TK2MSFTNGP09.phx.gbl...
| One other question.
|
| This was on a "skills test". The time has passed, and I'm not interested
in
| seeing any code. Just trying to make sense of this.
|
| One of the requirements was to "display the role of the current logged in
| user".
|
| This was the test from the tech. manager. Unless it's a typo, shouldn't
it
| be role(s)?
|
| Thanks.
| "Willy Denoyette [MVP]" <wi*************@telenet.be> wrote in message
| news:%2****************@TK2MSFTNGP11.phx.gbl...
| >
| > "Mark White" <ma*******@yahoo.com> wrote in message
| > news:%2****************@TK2MSFTNGP11.phx.gbl...
| > | Hey everyone
| > |
| > | I'm having a great deal of problems finding this information through
| > google
| > | and yahoo, so I turn to you on this.
| > |
| > | I have a Windows app running on XP. I am able to caputre the user's
| Name
| > | property in the WindowsPrincipal's IIdentity interface.
| > |
| > | Where can I find the role that the user is assigned for the current
| login?
| > | I only want the one role which is assigned for the current user, not
all
| > of
| > | the groups in which the user belongs (that is working fine).
| > |
| > | Do I have to actually test out permissions on files/objects to find
the
| > | current role/group? Seems to be a lot of work going that route for
| > | something which should be accessible in the same interface as Name.
Why
| > | isn't it?
| > |
| > | I'm on 1.1 btw. Has this changed in 2.0?
| > |
| > | Thank you in advance for any help you can give me.
| > |
| > | Mark White
| > |
| > |
| >
| > Roles are not meant to check/control resource access permissions, they
are
| > meant for program access/flow control. These are totally different
things.
| >
| > if(myPrincipal.IsInRole("Sales"))
| > {
| > // Do whatever "Sales" is allowed to do, initialize the UI etc...
| > }
| > else
| > if((myPrincipal.IsInRole("AccountManagers"))
| > // do whatever "AccountMAnagers" are allowed to do.
| >
| > Resources like file and directory object permissions are checked when a
| user
| > opens the resource, this is the task of the OS and (in general) not the
| task
| > of an application program. Note that V2.0 includes managed classes that
| > wraps the object security access API's in Win32 by means of
| > System.Security.AccessControl classes, v1.1 user can achieve the same
| using
| > System.DirectoryServices and some ADSI stuff or by using the
| > System.Management and WMI classes.
| >
| > Willy.
| >
| >
|
|
Jan 16 '06 #8

P: n/a
Thanks, the ability to belong to more than one group and the stated "role of
current logged in user" threw me off.

As I mentioned in the OP, I am able to check which role(s) the user belongs
to. Not what the requirement stated, but cool nonetheless. If anything, it
led me down this path to understand it better.

I haven't started yet on 2.0 (XP Pro SP2 network issues), but the
WindowsBuiltInRole enumeration is available in 2.0 from a quick msdn2
search. This is only the common groups installed on a Windows system.

Thanks for the help. Happy MLK day.

Mark
"Willy Denoyette [MVP]" <wi*************@telenet.be> wrote in message
news:Oi**************@TK2MSFTNGP15.phx.gbl...
Well, as Windows based 'roles' are mapped to "Windows security group"
membership, and because a user can be a member of more than one security
group, it should be role(s).
Take a user "Bob", which is a member of both 'SalesDpt' and 'AccountMgrs',
Bob is automatically assigned both roles. In your code you can execute
different paths depending on whether he's an account manager or just a
generic member of a sales department.
Note that enumerating user groups (roles) by reflecting private methods like shown by Peter, is NOT the way you should go, this code is non-portable and fails on v2. The only right way to enumerate user groups is by using the
System.DirectoryServices classes.

Willy.

"Mark White" <ma*******@yahoo.com> wrote in message
news:%2****************@TK2MSFTNGP09.phx.gbl...
| One other question.
|
| This was on a "skills test". The time has passed, and I'm not interested in
| seeing any code. Just trying to make sense of this.
|
| One of the requirements was to "display the role of the current logged in | user".
|
| This was the test from the tech. manager. Unless it's a typo, shouldn't
it
| be role(s)?
|
| Thanks.
| "Willy Denoyette [MVP]" <wi*************@telenet.be> wrote in message
| news:%2****************@TK2MSFTNGP11.phx.gbl...
| >
| > "Mark White" <ma*******@yahoo.com> wrote in message
| > news:%2****************@TK2MSFTNGP11.phx.gbl...
| > | Hey everyone
| > |
| > | I'm having a great deal of problems finding this information through
| > google
| > | and yahoo, so I turn to you on this.
| > |
| > | I have a Windows app running on XP. I am able to caputre the user's
| Name
| > | property in the WindowsPrincipal's IIdentity interface.
| > |
| > | Where can I find the role that the user is assigned for the current
| login?
| > | I only want the one role which is assigned for the current user, not
all
| > of
| > | the groups in which the user belongs (that is working fine).
| > |
| > | Do I have to actually test out permissions on files/objects to find
the
| > | current role/group? Seems to be a lot of work going that route for
| > | something which should be accessible in the same interface as Name.
Why
| > | isn't it?
| > |
| > | I'm on 1.1 btw. Has this changed in 2.0?
| > |
| > | Thank you in advance for any help you can give me.
| > |
| > | Mark White
| > |
| > |
| >
| > Roles are not meant to check/control resource access permissions, they
are
| > meant for program access/flow control. These are totally different
things.
| >
| > if(myPrincipal.IsInRole("Sales"))
| > {
| > // Do whatever "Sales" is allowed to do, initialize the UI etc...
| > }
| > else
| > if((myPrincipal.IsInRole("AccountManagers"))
| > // do whatever "AccountMAnagers" are allowed to do.
| >
| > Resources like file and directory object permissions are checked when a | user
| > opens the resource, this is the task of the OS and (in general) not the | task
| > of an application program. Note that V2.0 includes managed classes that | > wraps the object security access API's in Win32 by means of
| > System.Security.AccessControl classes, v1.1 user can achieve the same
| using
| > System.DirectoryServices and some ADSI stuff or by using the
| > System.Management and WMI classes.
| >
| > Willy.
| >
| >
|
|

Jan 16 '06 #9

This discussion thread is closed

Replies have been disabled for this discussion.