Re: Role based security - where are permissions/operations ?

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 10/20/04


Date: Wed, 20 Oct 2004 09:28:48 -0500

Dominick has a good point here. Non-Windows SIDs can be used with AzMan.
There is also a QFE avialable now that makes it work with ADAM SIDs that you
can request.

It sounds like the storage of the data is still your biggest issue. Perhaps
using ADAM would work if AD isn't available though. It is free to
redistribute with server 2K3, so perhaps you could off that as an option.
It would make sense for AzMan to support storing the policy data in SQL
though.

Dominick, can you help me understand one other point? With non-Windows
SIDs, don't you lose the benefit of Windows groups integration with AzMan
role mapping? If so, doesn't that mean you have to map each individual SID
into its AzMan roles? It seems like that would become a management
nightmare with lots of accounts. Am I missing something here?

Thanks,

Joe K.

"Dominick Baier" <dotnet@leastprivilege.com> wrote in message
news:OgzjFHptEHA.3872@TK2MSFTNGP15.phx.gbl...
> Hi,
>
> first of all - AzMan does also work with non-Windows account, because you
> can also use Custom SIDs [0] in the Authorization Store.
>
> A compromise between a local XML File and AD could be a local/remote ADAM
> [1] (Active Directory for Applications) instance to store the AzStore.
>
> Microsoft provides a framework to use AzMan in the Authorization and
> Profiling Block [2] - maybe you want to have a look at that also
>
> dominick - DevelopMentor
> www.leastprivilege.com
>
>
>
> [0]
> http://www.leastprivilege.com/PermaLink.aspx?guid=7cd21d34-8d8d-44ef-888e-153b2c272f91
>
> [1]
> http://www.microsoft.com/downloads/details.aspx?FamilyId=9688F8B9-1034-4EF6-A3E5-2A2A57B5C8E4&displaylang=en
>
> [2]
> http://www.microsoft.com/downloads/details.aspx?FamilyId=BA983AD5-E74F-4BE9-B146-9D2D2C6F8E81&displaylang=en
>
>
> nntp://news.microsoft.com/microsoft.public.dotnet.framework.aspnet.security/>
>
> Joe Kaplan (MVP - ADSI) wrote:
> > You really need to use AzMan if you want a very granular mechanism for
> > assigning permissions to your individual operations. ASP.NET will work
> > fine
> > with AzMan if you are using Windows security, so that shouldn't be a
> > problem.
> >
> > If you can't use AzMan but want similar functionality, then you may need
> > to
> > implement your own framework that does similar stuff.
>
> AzMan has the functionality I need, but it's storage of data is a problem.
> Either XML file on disk - OK for development but not for production; or in
> Active Directory, which not all customers will have or want. If AzMan
> could store it's data in SQL Server, that would be ideal, but it doesn't
> seem to support this, so doesn't integrate well with database
> applications. The ASP.NET v2.0 role manager does integrate well with SQL
> Server, but lacks the functionality of AzMan.
>
> It looks like granular permission checking for true role based access
> control (RBAC), which also integrates well with SQL Server, will need
> custom coding, and isn't something that appears to be addressed in ASP.NET
> v2.0.
>
> Am I missing something here ? This would appear to be a very common need,
> so I find it hard to believe that .NET doesn't provide a solution for
> this, other than "code-it-yourself".
>
> Thanks,
> Andy Mackie.
>
> [microsoft.public.dotnet.framework.aspnet.security]



Relevant Pages

  • Re: Role based security - where are permissions/operations ?
    ... the ADAM SP. ... Non-Windows SIDs can be used with AzMan. ... > redistribute with server 2K3, so perhaps you could off that as an option. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Role based security - where are permissions/operations ?
    ... Dominick Baier - DevelopMentor ... Non-Windows SIDs can be used with AzMan. ... It would make sense for AzMan to support storing the policy data in SQL ... > custom coding, and isn't something that appears to be addressed in ASP.NET ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: ADAM : Beginner and need help
    ... AzMan probably isn't a good solution for Java, but the AzMan design might be ... ADAM also supports the AD "tokenGroups" attribute which can be used to ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... ADAM can also support lots of password policy features that Windows ...
    (microsoft.public.windows.server.active_directory)
  • ADAM with Azman
    ... activedirectory membership provider to speak to one ... Ideally ADAM will be the user/group repository and Azman ... construct a clientContext using the SID of the authenticated ADAM user. ...
    (microsoft.public.windows.server.active_directory)
  • nightmare with ADAM ldap and roleprovider
    ... activedirectory membership provider to speak to one ... Ideally ADAM will be the user/group repository and Azman ... ActiveDirectoryMemberShipProvider based code to ...
    (microsoft.public.dotnet.security)