471,873 Members | 2,000 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 471,873 software developers and data experts.

WindowsPrincipal.IsInRole actually check roles and NOT groups?


I currently have my application setup and built using Windows
Authentication (WindowsPrincipal). For security checks, I simply do
an IsInRole call on the Principal. The role permissions are hard-
coded, something like this:

private static string[] allowedReadRoles = new string[] { "Sales",
"Ordering" };

I now need to brand my application, and while the roles will remain
the same, the problem is that IsInRole is functioning via group
membership. The branding will be for other companies, which are owned
by the same owners, and use the same office buildings, network /
domain and computers are the main company (the other companies have
less than 10 people).

So, adding the users for Company B to existing groups isn't really an
option... they'd have access to the application for Company A. In the
database that would work, since I add logons for new groups and map
them to existing database roles. For my code though, I don't see a
way to do this. I could provide a similar mapping, but that would
require me to update multiple databases to do the mappings each time I
add a new role to the application.

Any other ideas? Has anyone used Authentication Manager, which allows
you to define real roles, not AD Groups? Is there anything that puts
actual roles in WindowsPrincipal.IsInRole, not just windows groups?
It seems an odd thing; AD groups aren't roles, yet WindowsPrincipal
treats them as such.

Jun 27 '08 #1
1 5224
Well, if it helps, even with windows identity you can provide your own
roles definitions. If you can look them up from somewhere,
GenericPrincipal may be of use - alternatively create your own
IPrincipal that performs IsInRole... (perhaps prepending an NT name
onto the role per instance?)

But essentially you are going to have to store the data somewhere...

Some ideas...


using System;
using System.Security;
using System.Security.Permissions;
using System.Security.Principal;
using System.Threading;
static class Program
static void Main()
string[] userRoles = { "Sales" };
Thread.CurrentPrincipal = new
GenericPrincipal(WindowsIdentity.GetCurrent(), userRoles);
catch (SecurityException)
Console.WriteLine("Admin failed ;-p");
[PrincipalPermission(SecurityAction.Demand, Role="Sales")]
static void TestSales() { Console.WriteLine("Sales"); }
[PrincipalPermission(SecurityAction.Demand, Role = "Admin")]
static void TestAdmin() { Console.WriteLine("Admin"); }
// another idea for separating the data...
class SuffixPrincipal : IPrincipal
private readonly IPrincipal parent;
private readonly string roleSuffix;
public SuffixPrincipal(IPrincipal parent, string roleSuffix)
if (parent == null) throw new ArgumentNullException("parent");
this.parent = parent;
this.roleSuffix = roleSuffix;
public IIdentity Identity { get { return parent.Identity; } }
public bool IsInRole(string role)
return parent.IsInRole(role + roleSuffix);
Jun 27 '08 #2

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

2 posts views Thread by Esteban404 | last post: by
reply views Thread by Mark | last post: by
2 posts views Thread by Dave | last post: by
8 posts views Thread by Oliver Rainer | last post: by
reply views Thread by wk6pack | last post: by

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.