«

If i want to generate a menu structure depending on who is logged in
in an intranet system(using windows authentication) is it better to use the
GROUPS in Active Directory
or to move the Active Directory groups into a Sql Server database and base
the authrorization and authentication on the SQL Server roles/groups?
Whats the best way to make use of the GROUPS in active directory to
authorize
users apart from using web.config where you have to set it configuratively
like below(but i don't want this)
<authorization>
<allow roles="DOMAIN\HRUsers" />
<deny users="*" />
</authorization>
This works if i want to deny users who are not part of the GROUP
"HRUSERS"(Which just denies the URL .aspx page)
Is it possible to store/collect all the Active Directory groups and use it
in code to validate against USERS?
(Apart from storing it in SQL server?)

or
programmatically by doing :-
If Not (User.IsInRole("HR")) And Not (User.IsInRole("Managers")) Then
' Display the Button
Else
' Don't display it!
End If
The badside to these methods is that if you are calling a method several
times from different applications, you will need to repeat the logic all
the time. How can i do it declaratively using Active Directory.
I know if i use a database with stored procedures that would be a benefit.
Any thoughts?

Patrick.O.Ige schrieb:

> If Not (User.IsInRole("HR")) And Not (User.IsInRole("Managers")) Then
> ' Display the Button
> Else
> ' Don't display it!
> End If

> The badside to these methods is that if you are calling a method several
> times from different applications, you will need to repeat the logic all
> the time. How can i do it declaratively using Active Directory.
> I know if i use a database with stored procedures that would be a benefit.
> Any thoughts?

You can create a custom control button that only shows up if the user is in
a role specified by a new property of the control. I created a
button-control and a panel-control wich work this way. This makes it very
easy to hide and show role-specific parts of a page.

Jan

Thx Jan for the reply.
But where was your Roles coming from?
Is it from AD?


"Jan Peter Stotz" <> wrote in message
news:1xufis06jdvv0$... .
> Patrick.O.Ige schrieb:
>
> > If Not (User.IsInRole("HR")) And Not (User.IsInRole("Managers")) Then
> > ' Display the Button
> > Else
> > ' Don't display it!
> > End If
>
> > The badside to these methods is that if you are calling a method several
> > times from different applications, you will need to repeat the logic
all
> > the time. How can i do it declaratively using Active Directory.
> > I know if i use a database with stored procedures that would be a
benefit.
> > Any thoughts?
>
> You can create a custom control button that only shows up if the user is
in
> a role specified by a new property of the control. I created a
> button-control and a panel-control wich work this way. This makes it very
> easy to hide and show role-specific parts of a page.
>
> Jan

Patrick.O.Ige schrieb:

> Thx Jan for the reply.
> But where was your Roles coming from?
> Is it from AD?

My own Principal implementation. I am using .NET 1.1 with form based
authentication. I do not use a plain role-based access model.
My model uses a hierarchy based on the group memberships in the AD (i use
the property "tokenGroups" for getting all memberships including this which
are set as primary group):

Jan

Pardon me for poking in on this conversation, but do you have any examples of
this for the relatively inexperienced? I have the same issue as the original
poster, but I don't have his experience.

Thanks,
Patrick


"Jan Peter Stotz" wrote:

> Patrick.O.Ige schrieb:
>
> > If Not (User.IsInRole("HR")) And Not (User.IsInRole("Managers")) Then
> > ' Display the Button
> > Else
> > ' Don't display it!
> > End If
>
> > The badside to these methods is that if you are calling a method several
> > times from different applications, you will need to repeat the logic all
> > the time. How can i do it declaratively using Active Directory.
> > I know if i use a database with stored procedures that would be a benefit.
> > Any thoughts?
>
> You can create a custom control button that only shows up if the user is in
> a role specified by a new property of the control. I created a
> button-control and a panel-control wich work this way. This makes it very
> easy to hide and show role-specific parts of a page.
>
> Jan
>

If the data is already in AD, what benefit could you get from trying to copy
it into SQL server? That just sounds like a sync nightmare.

It seems relatively straightforward to show and hide menu items based on
calls to IsInRole and just use Windows authentication.

I would probably add some sort of mapping layer so you have some indirection
between the actual groups used to give you some configurability at runtime.
AzMan is a good framework for this, but you can put something lighter weight
together if you don't want to deal with it.

Joe K.

"Patrick.O.Ige" <> wrote in message
news:OgxH$...
> If i want to generate a menu structure depending on who is logged in
> in an intranet system(using windows authentication) is it better to use
> the
> GROUPS in Active Directory
> or to move the Active Directory groups into a Sql Server database and base
> the authrorization and authentication on the SQL Server roles/groups?
> Whats the best way to make use of the GROUPS in active directory to
> authorize
> users apart from using web.config where you have to set it configuratively
> like below(but i don't want this)
> <authorization>
> <allow roles="DOMAIN\HRUsers" />
> <deny users="*" />
> </authorization>
> This works if i want to deny users who are not part of the GROUP
> "HRUSERS"(Which just denies the URL .aspx page)
> Is it possible to store/collect all the Active Directory groups and use it
> in code to validate against USERS?
> (Apart from storing it in SQL server?)
>
> or
> programmatically by doing :-
> If Not (User.IsInRole("HR")) And Not (User.IsInRole("Managers")) Then
> ' Display the Button
> Else
> ' Don't display it!
> End If
> The badside to these methods is that if you are calling a method several
> times from different applications, you will need to repeat the logic all
> the time. How can i do it declaratively using Active Directory.
> I know if i use a database with stored procedures that would be a benefit.
> Any thoughts?
>
>

Patrick Allmond schrieb:

> Pardon me for poking in on this conversation, but do you have any examples of
> this for the relatively inexperienced? I have the same issue as the original
> poster, but I don't have his experience.

I didn't had the experience, when I started to create my asp.net
application. Usually I am "learning-by-doing"...

I found a lot of articles on msdn and the web that helped me to understand
how authentication in ASP.net works.
For more information search google for (or parts of it):
asp .net forms authentication active directory

One of the first links I get is this:
"Building Secure ASP.NET Applications: Authentication, Authorization, and
Secure Communication"
http://msdn.microsoft.com/library/en...SecNetHT02.asp

It doesn't explain much, but it is a simple how-to and may help you with
your start.

Jan

Sorry I did not clarify. Specifically I meant how did you get the custom
control property to work - the one that checks the role before it decides to
display or not?

patrick



"Jan Peter Stotz" wrote:

> Patrick Allmond schrieb:
>
> > Pardon me for poking in on this conversation, but do you have any examples of
> > this for the relatively inexperienced? I have the same issue as the original
> > poster, but I don't have his experience.
>
> I didn't had the experience, when I started to create my asp.net
> application. Usually I am "learning-by-doing"...
>
> I found a lot of articles on msdn and the web that helped me to understand
> how authentication in ASP.net works.
> For more information search google for (or parts of it):
> asp .net forms authentication active directory
>
> One of the first links I get is this:
> "Building Secure ASP.NET Applications: Authentication, Authorization, and
> Secure Communication"
> http://msdn.microsoft.com/library/en...SecNetHT02.asp
>
> It doesn't explain much, but it is a simple how-to and may help you with
> your start.
>
> Jan
>

Patrick Allmond schrieb:

> Sorry I did not clarify. Specifically I meant how did you get the custom
> control property to work - the one that checks the role before it decides to
> display or not?

Ok, I am not an expert in custom controls, so I post my code (vb.net)
allowing everybody to review it.
I hope the posted code compiles. I had to made some changes with a
texteditor to simplify it and no vb.net compiler at hand for checking, if
it works. My original code uses a separate class called "Authentificator"
that implements my special "isinRole-Check". The posted version can only
check one role, but it is easy to extend it to accept a somehow separated
list (e.g. semicolon) of roles that will be checked.

Namespace MyWebControls
Public Class SecurityButton : Inherits Button

Private _RequiredRole as String

Public Property RequiredRole As String
Get
return _RequiredRole
End Get
Set
_RequiredRole = Value
End Set
End Property

Protected Overrides Sub Render(Output As HtmlTextWriter)
Dim p As Principal = HttpContext.Current.User
If p.isInRole(_RequiredRole) Then
MyBase.Render(Output)
End If
End Sub

Protected Overrides Sub OnCommand(ByVal e As CommandEventArgs)
Dim p As Principal = HttpContext.Current.User
If p.isInRole(_RequiredRole) Then
MyBase.OnCommand(e)
End If
End Sub
End Class
End Namespace

test.aspx:

<%@ Page Language="VB" %>
<%@ Register TagPrefix="asps" Namespace="MyWebControls"
Assembly="MyWebControls" %>
[..]
<asps:SecurityButton RequiredRole="DOMAIN\Groupname" id="mySecurityButton"
runat="server">

Jan

Thx Joe for the response.
Joe i know its like re inventing the wheel.
But it has been a debate with some other developers and i have been trying
to explain this.
They just feel hardcoding the group using IsinRole to perform Authorisation
is not good enough but the funniest thing
is that even if you use SQL server you would have to right stored procedures
and at the same time mainatain the sync with AD Groups.
Actually i have come across AzMan and i will get more into it.
Thx guys..
If there is more resources out there please do forward them.
And thanks Jan for the snippet info but it would be nice if you could blog
that
or post more tutorials to help give others




"Joe Kaplan (MVP - ADSI)" <> wrote
in message news:O#...
> If the data is already in AD, what benefit could you get from trying to
copy
> it into SQL server? That just sounds like a sync nightmare.
>
> It seems relatively straightforward to show and hide menu items based on
> calls to IsInRole and just use Windows authentication.
>
> I would probably add some sort of mapping layer so you have some
indirection
> between the actual groups used to give you some configurability at
runtime.
> AzMan is a good framework for this, but you can put something lighter
weight
> together if you don't want to deal with it.
>
> Joe K.
>
> "Patrick.O.Ige" <> wrote in message
> news:OgxH$...
> > If i want to generate a menu structure depending on who is logged in
> > in an intranet system(using windows authentication) is it better to use
> > the
> > GROUPS in Active Directory
> > or to move the Active Directory groups into a Sql Server database and
base
> > the authrorization and authentication on the SQL Server roles/groups?
> > Whats the best way to make use of the GROUPS in active directory to
> > authorize
> > users apart from using web.config where you have to set it
configuratively
> > like below(but i don't want this)
> > <authorization>
> > <allow roles="DOMAIN\HRUsers" />
> > <deny users="*" />
> > </authorization>
> > This works if i want to deny users who are not part of the GROUP
> > "HRUSERS"(Which just denies the URL .aspx page)
> > Is it possible to store/collect all the Active Directory groups and use
it
> > in code to validate against USERS?
> > (Apart from storing it in SQL server?)
> >
> > or
> > programmatically by doing :-
> > If Not (User.IsInRole("HR")) And Not (User.IsInRole("Managers")) Then
> > ' Display the Button
> > Else
> > ' Don't display it!
> > End If
> > The badside to these methods is that if you are calling a method several
> > times from different applications, you will need to repeat the logic
all
> > the time. How can i do it declaratively using Active Directory.
> > I know if i use a database with stored procedures that would be a
benefit.
> > Any thoughts?
> >
> >
>
>