Re: Active Directory vs SqlServer which way to go?

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 11/07/05


Date: Mon, 7 Nov 2005 10:51:45 -0600

However you want!

The most basic idea might be to have a bunch of appSettings that do
something like:

<add key="role1" value="domain\group1"/>

Then, in your code, translate from "role1" into the actual group name at
runtime.

You can do many fancier things than that such as creating your own
IPrincipal object that does this mapping for you so that it responds
true/false to "role1" instead of "domain\group1". You can create your own
custom configuration to store it. You can store the mapping in SQL.
Whatever you want to do...

Joe K.

"Patrick.O.Ige" <patrickige@optusnet.com.au> wrote in message
news:%231gRNo34FHA.3348@TK2MSFTNGP10.phx.gbl...
> Joe when you say mapping how would i go by mapping
> the groups.And how would it be stored in Web.Config?
> Patrick
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:#D5dpIb4FHA.3636@TK2MSFTNGP09.phx.gbl...
>> Why not just create a simple mapping between groups and
> application-specific
>> roles and store it in SQL or web.config or whatever? Then you don't
>> hard-code the groups in your checks, but allow Windows to do the heavy
>> lifting for you of figuring out your group membership at runtime?
>>
>> That is essentially what AzMan is about, although it is significantly
>> more
>> capable and includes several additional levels of indirection to support
>> more granularity in your authorization (which can lead to better
>> maintainability if you choose your operations carefully).
>>
>> Joe K.
>>
>> "Patrick.O.Ige" <patrickige@optusnet.com.au> wrote in message
>> news:%23FFvhLZ4FHA.1188@TK2MSFTNGP12.phx.gbl...
>> > Thx Joe for the response.
>> > Joe i know its like re inventing the wheel.
>> > But it has been a debate with some other developers and i have been
> trying
>> > to explain this.
>> > They just feel hardcoding the group using IsinRole to perform
>> > Authorisation
>> > is not good enough but the funniest thing
>> > is that even if you use SQL server you would have to right stored
>> > procedures
>> > and at the same time mainatain the sync with AD Groups.
>> > Actually i have come across AzMan and i will get more into it.
>> > Thx guys..
>> > If there is more resources out there please do forward them.
>> > And thanks Jan for the snippet info but it would be nice if you could
> blog
>> > that
>> > or post more tutorials to help give others
>> >
>> >
>> >
>> >
>> > "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
> wrote
>> > in message news:O#cWjgV4FHA.2872@TK2MSFTNGP15.phx.gbl...
>> >> If the data is already in AD, what benefit could you get from trying
>> >> to
>> > copy
>> >> it into SQL server? That just sounds like a sync nightmare.
>> >>
>> >> It seems relatively straightforward to show and hide menu items based
> on
>> >> calls to IsInRole and just use Windows authentication.
>> >>
>> >> I would probably add some sort of mapping layer so you have some
>> > indirection
>> >> between the actual groups used to give you some configurability at
>> > runtime.
>> >> AzMan is a good framework for this, but you can put something lighter
>> > weight
>> >> together if you don't want to deal with it.
>> >>
>> >> Joe K.
>> >>
>> >> "Patrick.O.Ige" <patrickige@optusnet.com.au> wrote in message
>> >> news:OgxH$IS4FHA.3036@TK2MSFTNGP15.phx.gbl...
>> >> > If i want to generate a menu structure depending on who is logged in
>> >> > in an intranet system(using windows authentication) is it better to
> use
>> >> > the
>> >> > GROUPS in Active Directory
>> >> > or to move the Active Directory groups into a Sql Server database
>> >> > and
>> > base
>> >> > the authrorization and authentication on the SQL Server
>> >> > roles/groups?
>> >> > Whats the best way to make use of the GROUPS in active directory to
>> >> > authorize
>> >> > users apart from using web.config where you have to set it
>> > configuratively
>> >> > like below(but i don't want this)
>> >> > <authorization>
>> >> > <allow roles="DOMAIN\HRUsers" />
>> >> > <deny users="*" />
>> >> > </authorization>
>> >> > This works if i want to deny users who are not part of the GROUP
>> >> > "HRUSERS"(Which just denies the URL .aspx page)
>> >> > Is it possible to store/collect all the Active Directory groups and
> use
>> > it
>> >> > in code to validate against USERS?
>> >> > (Apart from storing it in SQL server?)
>> >> >
>> >> > or
>> >> > programmatically by doing :-
>> >> > If Not (User.IsInRole("HR")) And Not (User.IsInRole("Managers"))
>> >> > Then
>> >> > ' Display the Button
>> >> > Else
>> >> > ' Don't display it!
>> >> > End If
>> >> > The badside to these methods is that if you are calling a method
>> >> > several
>> >> > times from different applications, you will need to repeat the
>> >> > logic
>> > all
>> >> > the time. How can i do it declaratively using Active Directory.
>> >> > I know if i use a database with stored procedures that would be a
>> > benefit.
>> >> > Any thoughts?
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>
>



Relevant Pages

  • Re: Active Directory vs SqlServer which way to go?
    ... Thx Joe for the reply. ... I mean to the user level? ... You can store the mapping in SQL. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Active Directory vs SqlServer which way to go?
    ... I think what I was suggesting was that you do a mapping between your ... them) and the security principals in AD, whether they are users or groups. ... > Thx Joe for the reply. ... You can store the mapping in SQL. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Active Directory vs SqlServer which way to go?
    ... Joe when you say mapping how would i go by mapping ... > capable and includes several additional levels of indirection to support ... > more granularity in your authorization (which can lead to better ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Class initialization from a dictionary, how best?
    ... # store the values in temporarily. ... def __init__: ... # a mapping from source to destination ... 'a': str, ...
    (comp.lang.python)
  • Re: Representing byte-symbols as a data set Need advice on algorithm
    ... I am exploring encoding of data and I thought to ask if there is an algorithm or maths to study so I can store the byte-symbol values in an external dataset. ... I am wishing to map the 8 bit symbols in the order of how frequent they are in some "string", block or what we call a finite set of bytes. ... I was thinking I could store the symbols and then apply a generic mapping to the string. ...
    (comp.compression)