473,225 Members | 1,345 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,225 software developers and data experts.

WindowsPrincipal.IsInRole actually check roles and NOT groups?


I currently have my application setup and built using Windows
Authentication (WindowsPrincipal). For security checks, I simply do
an IsInRole call on the Principal. The role permissions are hard-
coded, something like this:

private static string[] allowedReadRoles = new string[] { "Sales",
"Ordering" };

I now need to brand my application, and while the roles will remain
the same, the problem is that IsInRole is functioning via group
membership. The branding will be for other companies, which are owned
by the same owners, and use the same office buildings, network /
domain and computers are the main company (the other companies have
less than 10 people).

So, adding the users for Company B to existing groups isn't really an
option... they'd have access to the application for Company A. In the
database that would work, since I add logons for new groups and map
them to existing database roles. For my code though, I don't see a
way to do this. I could provide a similar mapping, but that would
require me to update multiple databases to do the mappings each time I
add a new role to the application.

Any other ideas? Has anyone used Authentication Manager, which allows
you to define real roles, not AD Groups? Is there anything that puts
actual roles in WindowsPrincipal.IsInRole, not just windows groups?
It seems an odd thing; AD groups aren't roles, yet WindowsPrincipal
treats them as such.

Jun 27 '08 #1
1 5490
Well, if it helps, even with windows identity you can provide your own
roles definitions. If you can look them up from somewhere,
GenericPrincipal may be of use - alternatively create your own
IPrincipal that performs IsInRole... (perhaps prepending an NT name
onto the role per instance?)

But essentially you are going to have to store the data somewhere...

Some ideas...


using System;
using System.Security;
using System.Security.Permissions;
using System.Security.Principal;
using System.Threading;
static class Program
static void Main()
string[] userRoles = { "Sales" };
Thread.CurrentPrincipal = new
GenericPrincipal(WindowsIdentity.GetCurrent(), userRoles);
catch (SecurityException)
Console.WriteLine("Admin failed ;-p");
[PrincipalPermission(SecurityAction.Demand, Role="Sales")]
static void TestSales() { Console.WriteLine("Sales"); }
[PrincipalPermission(SecurityAction.Demand, Role = "Admin")]
static void TestAdmin() { Console.WriteLine("Admin"); }
// another idea for separating the data...
class SuffixPrincipal : IPrincipal
private readonly IPrincipal parent;
private readonly string roleSuffix;
public SuffixPrincipal(IPrincipal parent, string roleSuffix)
if (parent == null) throw new ArgumentNullException("parent");
this.parent = parent;
this.roleSuffix = roleSuffix;
public IIdentity Identity { get { return parent.Identity; } }
public bool IsInRole(string role)
return parent.IsInRole(role + roleSuffix);
Jun 27 '08 #2

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

by: Alek Davis | last post by:
Hello, I noticed an interesting problem. When calling WindowsPrincipal.IsInRole over dial-up (VPN), this function takes 1-2 minute(s) to return. On the intranet or when disconnected from the...
by: Dan Kelley | last post by:
I receive multiple (handled) ArgumentExceptions when I call WindowsPrinciple.IsInRole. The exception text is: A first chance exception of type 'System.ArgumentException' occurred in mscorlib.dll...
by: Esteban404 | last post by:
My WinForm application is activating menus based on the user's roles in AD. I've created the groups to use the same 3 letter abbreviation. Is there a way to do something like this: ...
by: Mark | last post by:
Hello Friends Please check following Code Dim x As System.Security.Principal.WindowsPrincipal x = System.Threading.Thread.CurrentPrincipal Response.Write...
by: Dave | last post by:
Hi, I'm testing the IsInRole method on my app. I'm using Integrated security so I'm not sure if that has something to do with it. I have a groups table which I want to secure certain portions...
by: Oliver Rainer | last post by:
Hi, I have the following problem... Pre-requisites: Installation of an Asp.net webservice on a IIS5 server (win2k). Anonymous access is not allowed, only using windows authentication (intranet...
by: Bob | last post by:
This a bit of a second post on same subject, my apologies. IsinRole function only works with built-in roles. If I create a new group on my domain controller then add an existing user to that...
by: wk6pack | last post by:
Hi, I'm trying to get my application to authenticate using role based when the user runs the application. When the user logs on and is in the security group "school", the user gets into the...
by: =?Utf-8?B?RjVGNUY1?= | last post by:
I use the following function to ascertain if the current user is in ann AD security group. It appears to work, except if the group contains any space characters, it always returns false. For...
by: VivesProcSPL | last post by:
Obviously, one of the original purposes of SQL is to make data query processing easy. The language uses many English-like terms and syntax in an effort to make it easy to learn, particularly for...
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 3 Jan 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). For other local times, please check World Time Buddy In...
by: jianzs | last post by:
Introduction Cloud-native applications are conventionally identified as those designed and nurtured on cloud infrastructure. Such applications, rooted in cloud technologies, skillfully benefit from...
by: mar23 | last post by:
Here's the situation. I have a form called frmDiceInventory with subform called subfrmDice. The subform's control source is linked to a query called qryDiceInventory. I've been trying to pick up the...
by: abbasky | last post by:
### Vandf component communication method one: data sharing ​ Vandf components can achieve data exchange through data sharing, state sharing, events, and other methods. Vandf's data exchange method...
by: jimatqsi | last post by:
The boss wants the word "CONFIDENTIAL" overlaying certain reports. He wants it large, slanted across the page, on every page, very light gray, outlined letters, not block letters. I thought Word Art...
by: fareedcanada | last post by:
Hello I am trying to split number on their count. suppose i have 121314151617 (12cnt) then number should be split like 12,13,14,15,16,17 and if 11314151617 (11cnt) then should be split like...
by: stefan129 | last post by:
Hey forum members, I'm exploring options for SSL certificates for multiple domains. Has anyone had experience with multi-domain SSL certificates? Any recommendations on reliable providers or specific...
by: egorbl4 | last post by:
Скачал я git, хотел начать настройку, а там вылезло вот это Что это? Что мне с этим делать? ...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.