«

Hello, friends,

I implemented Forms Authentication in my asp.net app, it worked fine.
However, now I have another problem:

Although a user can be authenticated, but he/she may still not be allowed to
view certain pages and folders. For exampl, a junior member can not view
pages for senior memebers, although he/she can log into the web site. What is
the best approach to do this?

Any reference papers, sample code? Thanks.

Hello Andrew,

have a look at the <authorization> element in web.config.


---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> Hello, friends,
>
> I implemented Forms Authentication in my asp.net app, it worked fine.
> However, now I have another problem:
>
> Although a user can be authenticated, but he/she may still not be
> allowed to view certain pages and folders. For exampl, a junior member
> can not view pages for senior memebers, although he/she can log into
> the web site. What is the best approach to do this?
>
> Any reference papers, sample code? Thanks.
>

<configuration>
<system.web>
<authorization>
<deny users="*"/>
<allow roles="Admins"/>
</authorization>
</system.web>
</configuration>

this requires me "manually" add each new registered members into a
predefined role, say "Junior", "Senior", right?

"Dominick Baier [DevelopMentor]" wrote:

> Hello Andrew,
>
> have a look at the <authorization> element in web.config.
>
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > Hello, friends,
> >
> > I implemented Forms Authentication in my asp.net app, it worked fine.
> > However, now I have another problem:
> >
> > Although a user can be authenticated, but he/she may still not be
> > allowed to view certain pages and folders. For exampl, a junior member
> > can not view pages for senior memebers, although he/she can log into
> > the web site. What is the best approach to do this?
> >
> > Any reference papers, sample code? Thanks.
> >
>
>
>

Hello Andrew,

right

also read this:
http://www.leastprivilege.com/ASPNET...nSettings.aspx
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> <configuration>
> <system.web>
> <authorization>
> <deny users="*"/>
> <allow roles="Admins"/>
> </authorization>
> </system.web>
> </configuration>
> this requires me "manually" add each new registered members into a
> predefined role, say "Junior", "Senior", right?
>
> "Dominick Baier [DevelopMentor]" wrote:
>
>> Hello Andrew,
>>
>> have a look at the <authorization> element in web.config.
>>
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> Hello, friends,
>>>
>>> I implemented Forms Authentication in my asp.net app, it worked
>>> fine. However, now I have another problem:
>>>
>>> Although a user can be authenticated, but he/she may still not be
>>> allowed to view certain pages and folders. For exampl, a junior
>>> member can not view pages for senior memebers, although he/she can
>>> log into the web site. What is the best approach to do this?
>>>
>>> Any reference papers, sample code? Thanks.
>>>

That is not good to us:

After a user (a Junior) registered in my website, he/she should be able to
access all pages, except pages for Senior members, right away.

He/she can not wait for us to manually add them into a role, because we may
not check new member for days.

Any other automatic ways? Thanks...

"Dominick Baier [DevelopMentor]" wrote:

> Hello Andrew,
>
> right
>
> also read this:
> http://www.leastprivilege.com/ASPNET...nSettings.aspx
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > <configuration>
> > <system.web>
> > <authorization>
> > <deny users="*"/>
> > <allow roles="Admins"/>
> > </authorization>
> > </system.web>
> > </configuration>
> > this requires me "manually" add each new registered members into a
> > predefined role, say "Junior", "Senior", right?
> >
> > "Dominick Baier [DevelopMentor]" wrote:
> >
> >> Hello Andrew,
> >>
> >> have a look at the <authorization> element in web.config.
> >>
> >> ---------------------------------------
> >> Dominick Baier - DevelopMentor
> >> http://www.leastprivilege.com
> >>> Hello, friends,
> >>>
> >>> I implemented Forms Authentication in my asp.net app, it worked
> >>> fine. However, now I have another problem:
> >>>
> >>> Although a user can be authenticated, but he/she may still not be
> >>> allowed to view certain pages and folders. For exampl, a junior
> >>> member can not view pages for senior memebers, although he/she can
> >>> log into the web site. What is the best approach to do this?
> >>>
> >>> Any reference papers, sample code? Thanks.
> >>>
>
>
>

This depends on how your roles are being generated and how your identity
lifecycle works. For example, if you store your users in SQL and keep your
role definitions in SQL, then the user would just need to do something that
would trigger their addition to the new role. Then, a new logon should give
them the new role.

If you were using Windows authentication, then the role membership would
come directly from the user's AD groups.

The bottom line is that you can make it work however you want. The key is
to getting the users in the right roles and having that data provided to the
forms authentication system. The <authorization> element is just a nice way
to declaratively determine who gets to access to what using the built-in
UrlAuthorizationModule.

Joe K.

"Andrew" <> wrote in message
news:E29C5839-EA3F-4CEB-B334-...
> That is not good to us:
>
> After a user (a Junior) registered in my website, he/she should be able to
> access all pages, except pages for Senior members, right away.
>
> He/she can not wait for us to manually add them into a role, because we
> may
> not check new member for days.
>
> Any other automatic ways? Thanks...
>
> "Dominick Baier [DevelopMentor]" wrote:
>
>> Hello Andrew,
>>
>> right
>>
>> also read this:
>> http://www.leastprivilege.com/ASPNET...nSettings.aspx
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>
>> > <configuration>
>> > <system.web>
>> > <authorization>
>> > <deny users="*"/>
>> > <allow roles="Admins"/>
>> > </authorization>
>> > </system.web>
>> > </configuration>
>> > this requires me "manually" add each new registered members into a
>> > predefined role, say "Junior", "Senior", right?
>> >
>> > "Dominick Baier [DevelopMentor]" wrote:
>> >
>> >> Hello Andrew,
>> >>
>> >> have a look at the <authorization> element in web.config.
>> >>
>> >> ---------------------------------------
>> >> Dominick Baier - DevelopMentor
>> >> http://www.leastprivilege.com
>> >>> Hello, friends,
>> >>>
>> >>> I implemented Forms Authentication in my asp.net app, it worked
>> >>> fine. However, now I have another problem:
>> >>>
>> >>> Although a user can be authenticated, but he/she may still not be
>> >>> allowed to view certain pages and folders. For exampl, a junior
>> >>> member can not view pages for senior memebers, although he/she can
>> >>> log into the web site. What is the best approach to do this?
>> >>>
>> >>> Any reference papers, sample code? Thanks.
>> >>>
>>
>>
>>

Hello Andrew,

why not add them to a role programmatically upon registration?
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

> That is not good to us:
>
> After a user (a Junior) registered in my website, he/she should be
> able to access all pages, except pages for Senior members, right away.
>
> He/she can not wait for us to manually add them into a role, because
> we may not check new member for days.
>
> Any other automatic ways? Thanks...
>
> "Dominick Baier [DevelopMentor]" wrote:
>
>> Hello Andrew,
>>
>> right
>>
>> also read this:
>> http://www.leastprivilege.com/ASPNET...nSettings.aspx
>> ---------------------------------------
>> Dominick Baier - DevelopMentor
>> http://www.leastprivilege.com
>>> <configuration>
>>> <system.web>
>>> <authorization>
>>> <deny users="*"/>
>>> <allow roles="Admins"/>
>>> </authorization>
>>> </system.web>
>>> </configuration>
>>> this requires me "manually" add each new registered members into a
>>> predefined role, say "Junior", "Senior", right?
>>> "Dominick Baier [DevelopMentor]" wrote:
>>>
>>>> Hello Andrew,
>>>>
>>>> have a look at the <authorization> element in web.config.
>>>>
>>>> ---------------------------------------
>>>> Dominick Baier - DevelopMentor
>>>> http://www.leastprivilege.com
>>>>> Hello, friends,
>>>>>
>>>>> I implemented Forms Authentication in my asp.net app, it worked
>>>>> fine. However, now I have another problem:
>>>>>
>>>>> Although a user can be authenticated, but he/she may still not be
>>>>> allowed to view certain pages and folders. For exampl, a junior
>>>>> member can not view pages for senior memebers, although he/she can
>>>>> log into the web site. What is the best approach to do this?
>>>>>
>>>>> Any reference papers, sample code? Thanks.
>>>>>

good idea, and how,
any sample source code or reference papers?
thanks....

"Dominick Baier [DevelopMentor]" wrote:

> Hello Andrew,
>
> why not add them to a role programmatically upon registration?
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > That is not good to us:
> >
> > After a user (a Junior) registered in my website, he/she should be
> > able to access all pages, except pages for Senior members, right away.
> >
> > He/she can not wait for us to manually add them into a role, because
> > we may not check new member for days.
> >
> > Any other automatic ways? Thanks...
> >
> > "Dominick Baier [DevelopMentor]" wrote:
> >
> >> Hello Andrew,
> >>
> >> right
> >>
> >> also read this:
> >> http://www.leastprivilege.com/ASPNET...nSettings.aspx
> >> ---------------------------------------
> >> Dominick Baier - DevelopMentor
> >> http://www.leastprivilege.com
> >>> <configuration>
> >>> <system.web>
> >>> <authorization>
> >>> <deny users="*"/>
> >>> <allow roles="Admins"/>
> >>> </authorization>
> >>> </system.web>
> >>> </configuration>
> >>> this requires me "manually" add each new registered members into a
> >>> predefined role, say "Junior", "Senior", right?
> >>> "Dominick Baier [DevelopMentor]" wrote:
> >>>
> >>>> Hello Andrew,
> >>>>
> >>>> have a look at the <authorization> element in web.config.
> >>>>
> >>>> ---------------------------------------
> >>>> Dominick Baier - DevelopMentor
> >>>> http://www.leastprivilege.com
> >>>>> Hello, friends,
> >>>>>
> >>>>> I implemented Forms Authentication in my asp.net app, it worked
> >>>>> fine. However, now I have another problem:
> >>>>>
> >>>>> Although a user can be authenticated, but he/she may still not be
> >>>>> allowed to view certain pages and folders. For exampl, a junior
> >>>>> member can not view pages for senior memebers, although he/she can
> >>>>> log into the web site. What is the best approach to do this?
> >>>>>
> >>>>> Any reference papers, sample code? Thanks.
> >>>>>
>
>
>

any reference papers that contain more details on what you mentioned?

thanks...

"Joe Kaplan (MVP - ADSI)" wrote:

> This depends on how your roles are being generated and how your identity
> lifecycle works. For example, if you store your users in SQL and keep your
> role definitions in SQL, then the user would just need to do something that
> would trigger their addition to the new role. Then, a new logon should give
> them the new role.
>
> If you were using Windows authentication, then the role membership would
> come directly from the user's AD groups.
>
> The bottom line is that you can make it work however you want. The key is
> to getting the users in the right roles and having that data provided to the
> forms authentication system. The <authorization> element is just a nice way
> to declaratively determine who gets to access to what using the built-in
> UrlAuthorizationModule.
>
> Joe K.
>
> "Andrew" <> wrote in message
> news:E29C5839-EA3F-4CEB-B334-...
> > That is not good to us:
> >
> > After a user (a Junior) registered in my website, he/she should be able to
> > access all pages, except pages for Senior members, right away.
> >
> > He/she can not wait for us to manually add them into a role, because we
> > may
> > not check new member for days.
> >
> > Any other automatic ways? Thanks...
> >
> > "Dominick Baier [DevelopMentor]" wrote:
> >
> >> Hello Andrew,
> >>
> >> right
> >>
> >> also read this:
> >> http://www.leastprivilege.com/ASPNET...nSettings.aspx
> >> ---------------------------------------
> >> Dominick Baier - DevelopMentor
> >> http://www.leastprivilege.com
> >>
> >> > <configuration>
> >> > <system.web>
> >> > <authorization>
> >> > <deny users="*"/>
> >> > <allow roles="Admins"/>
> >> > </authorization>
> >> > </system.web>
> >> > </configuration>
> >> > this requires me "manually" add each new registered members into a
> >> > predefined role, say "Junior", "Senior", right?
> >> >
> >> > "Dominick Baier [DevelopMentor]" wrote:
> >> >
> >> >> Hello Andrew,
> >> >>
> >> >> have a look at the <authorization> element in web.config.
> >> >>
> >> >> ---------------------------------------
> >> >> Dominick Baier - DevelopMentor
> >> >> http://www.leastprivilege.com
> >> >>> Hello, friends,
> >> >>>
> >> >>> I implemented Forms Authentication in my asp.net app, it worked
> >> >>> fine. However, now I have another problem:
> >> >>>
> >> >>> Although a user can be authenticated, but he/she may still not be
> >> >>> allowed to view certain pages and folders. For exampl, a junior
> >> >>> member can not view pages for senior memebers, although he/she can
> >> >>> log into the web site. What is the best approach to do this?
> >> >>>
> >> >>> Any reference papers, sample code? Thanks.
> >> >>>
> >>
> >>
> >>
>
>
>

I think a Google search on "designing role-based authorization .NET" will
get you started. There are also many great books around.

Joe K.

"Andrew" <> wrote in message
news:047C97DD-C10F-4765-B8CA-...
> any reference papers that contain more details on what you mentioned?
>
> thanks...
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>
>> This depends on how your roles are being generated and how your identity
>> lifecycle works. For example, if you store your users in SQL and keep
>> your
>> role definitions in SQL, then the user would just need to do something
>> that
>> would trigger their addition to the new role. Then, a new logon should
>> give
>> them the new role.
>>
>> If you were using Windows authentication, then the role membership would
>> come directly from the user's AD groups.
>>
>> The bottom line is that you can make it work however you want. The key
>> is
>> to getting the users in the right roles and having that data provided to
>> the
>> forms authentication system. The <authorization> element is just a nice
>> way
>> to declaratively determine who gets to access to what using the built-in
>> UrlAuthorizationModule.
>>
>> Joe K.
>>
>> "Andrew" <> wrote in message
>> news:E29C5839-EA3F-4CEB-B334-...
>> > That is not good to us:
>> >
>> > After a user (a Junior) registered in my website, he/she should be able
>> > to
>> > access all pages, except pages for Senior members, right away.
>> >
>> > He/she can not wait for us to manually add them into a role, because we
>> > may
>> > not check new member for days.
>> >
>> > Any other automatic ways? Thanks...
>> >
>> > "Dominick Baier [DevelopMentor]" wrote:
>> >
>> >> Hello Andrew,
>> >>
>> >> right
>> >>
>> >> also read this:
>> >> http://www.leastprivilege.com/ASPNET...nSettings.aspx
>> >> ---------------------------------------
>> >> Dominick Baier - DevelopMentor
>> >> http://www.leastprivilege.com
>> >>
>> >> > <configuration>
>> >> > <system.web>
>> >> > <authorization>
>> >> > <deny users="*"/>
>> >> > <allow roles="Admins"/>
>> >> > </authorization>
>> >> > </system.web>
>> >> > </configuration>
>> >> > this requires me "manually" add each new registered members into a
>> >> > predefined role, say "Junior", "Senior", right?
>> >> >
>> >> > "Dominick Baier [DevelopMentor]" wrote:
>> >> >
>> >> >> Hello Andrew,
>> >> >>
>> >> >> have a look at the <authorization> element in web.config.
>> >> >>
>> >> >> ---------------------------------------
>> >> >> Dominick Baier - DevelopMentor
>> >> >> http://www.leastprivilege.com
>> >> >>> Hello, friends,
>> >> >>>
>> >> >>> I implemented Forms Authentication in my asp.net app, it worked
>> >> >>> fine. However, now I have another problem:
>> >> >>>
>> >> >>> Although a user can be authenticated, but he/she may still not be
>> >> >>> allowed to view certain pages and folders. For exampl, a junior
>> >> >>> member can not view pages for senior memebers, although he/she can
>> >> >>> log into the web site. What is the best approach to do this?
>> >> >>>
>> >> >>> Any reference papers, sample code? Thanks.
>> >> >>>
>> >>
>> >>
>> >>
>>
>>
>>