Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > Hierarchy in user management

Reply
Thread Tools

Hierarchy in user management

 
 
Bob Gregory
Guest
Posts: n/a
 
      09-21-2004
Hi all,

I'm a newcomer to the .Net framework having worked in bog standard
ASP/SQL for far too long.

I have a massive project coming up, for which I will need to model a
tree structure of users. Users can access other entities in the
database depending on their position in the structure and the
properties of those entities.

As a simple example, each user is a member of a store. Stores are
members of storegroups, storegroups may be members of larger
storegroups and so on. Each store has 0-N widgets, those widgets may
or may not be exposed to other stores and storegroups.

Users at the top of a subtree can see any widgets, users, stores and
groups below them, but may be granted permissions on other objects or
subtrees. Users can also be explicitly denied permissions on an object
or subtree.

Are you keeping up at the back? There'll be a short quiz at the end.

I've built one of these things before, and a right pig of a system it
was too, using separate tables for transitive closure. If you're
interested in the method I worked from, check out
http://citeseer.ist.psu.edu/dong99maintaining.html

This was wonderfully fast for updates, but got painfully slow for the
kind of aggregated selects I need to do for this system.

My question, simply, is what options are available to me in the .Net
framework? I'd rather not have to kludge together a system in an RDBMS
because it gets unwieldy and this thing will need to Scale with a
purposeful capital.

I've looked briefly at directory services, which seem to offer the
right model for the user side of things, but I'd have to tie it into
SQL in such a fashion that a user can retrieve a list of all the
widgets exposed to his subordinate users which aren't explicitly
denied to him.

So, assuming that infrastructure is available by the bucket load
(servers, software, whatever is necessary) what is the best way to
knock something like this up?

-- FlinkyWistyPomm

Ps. I apologise for the vagaries, it's the usual All Your Code Are
Belong To Us situation.
 
Reply With Quote
 
 
 
 
richlm
Guest
Posts: n/a
 
      09-21-2004
Not much specifically in .NET that can help to solve the
architectural/scaleability issues here.

Using AD to store your organizational heirarchy + users sounds like a good
choice, and I don't think you can avoid having to store your widgets etc. in
SQL server.

You might want to look at Microsoft "Authorization Manager" (AzMan) - a new
feature in Windows Server 2003.
I'm not sure it can address all of your requirements but it might help.


 
Reply With Quote
 
 
 
 
Bob Gregory
Guest
Posts: n/a
 
      09-22-2004
Hey Rich thanks for the reply,

"richlm" <(E-Mail Removed)> wrote in message news:<#(E-Mail Removed)>...
> Not much specifically in .NET that can help to solve the
> architectural/scaleability issues here.


No, I'm more looking for architecture tips, but there isn't a .Net
architecture group that I'm aware of.

>
> Using AD to store your organizational heirarchy + users sounds like a good
> choice, and I don't think you can avoid having to store your widgets etc. in
> SQL server.
>


I'm fine with storing my widgets in SQL, that's what it's for. My
question more specifically, is how can I integrate my user directory
with SQL, or do I need to handle that myself?

IOW, is there a native way to use the results of a search on an active
directory against SQL or do I need to write a wrapper to do all that
for me?

If not then you end up posting delimited strings or XML to SQL to
represent a list of users and that's something I want to avoid if
possible. I suppose I could use a template query and include the
results of my ad search in the template, but I detect the first whiffs
of CodeSmell.

Anyone know anything about returning XML from an active directory?

> You might want to look at Microsoft "Authorization Manager" (AzMan) - a new
> feature in Windows Server 2003.
> I'm not sure it can address all of your requirements but it might help.


I've heard vague rumblings about AzMan. I'll have another look at that
and see what occurs to me.


Cheers

-- Bob
 
Reply With Quote
 
richlm
Guest
Posts: n/a
 
      09-22-2004
I guess we have to look forward to the day when the AD store is SQL server.
Then maybe we can do this sort of stuff.

Another thing to look at might be the "Authorization and Profile Application
Block" from Microsoft patterns and practices.


 
Reply With Quote
 
Joseph E Shook [MVP - ADSI]
Guest
Posts: n/a
 
      09-23-2004
Although I don't have a solution for you, I do know that Microsoft
created something similar when they created Commerce Server 2000. They
supplied a User Profile Object along with a configuration architecture
that wrapped access to Active Directory and SQL Server. You may get
some ideas by reading about it. I googled real quick on "commerce
server User Profile Object".

One interesting link on performance characteristics:
http://www.microsoft.com/technet/pro...m/upmtca2.mspx

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Best practise hierarchy for user-defined exceptions Slaunger Python 2 11-17-2008 01:23 PM
Project management / bug management Floris van Haaster ASP .Net 3 09-23-2005 08:36 PM
queue management with "application failure management" pouet Java 2 07-30-2004 09:59 PM
CatOS web management or CiscoView management ? Martin Bilgrav Cisco 1 12-20-2003 01:49 PM



Advertisments