Re: Active Directory vs SqlServer which way to go?

From: Patrick.O.Ige (patrickige_at_optusnet.com.au)
Date: 11/18/05


Date: Fri, 18 Nov 2005 19:47:39 +1100

Thx Joe for the reply.
I was just wondering that if i use Active Directory and make use of the
Roles
in my Application if a user belongs to more than one GROUP in the AD
and i need to assign some permissions to perform a particular task.
Lets say a page where a Admin user can Edit/ update a field and other users
can't
So for example if i use SQL server tables i can have Roleid's and assign it
to users
for example 1-Edit,2-Update etc..i can do it to a user level...
Is there a way to perform such task with the AD?
I mean to the user level?

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:eW0ZEu74FHA.3544@TK2MSFTNGP09.phx.gbl...
> However you want!
>
> The most basic idea might be to have a bunch of appSettings that do
> something like:
>
> <add key="role1" value="domain\group1"/>
>
> Then, in your code, translate from "role1" into the actual group name at
> runtime.
>
> You can do many fancier things than that such as creating your own
> IPrincipal object that does this mapping for you so that it responds
> true/false to "role1" instead of "domain\group1". You can create your own
> custom configuration to store it. You can store the mapping in SQL.
> Whatever you want to do...
>
> Joe K.
>
> "Patrick.O.Ige" <patrickige@optusnet.com.au> wrote in message
> news:%231gRNo34FHA.3348@TK2MSFTNGP10.phx.gbl...
> > Joe when you say mapping how would i go by mapping
> > the groups.And how would it be stored in Web.Config?
> > Patrick
> >
> > "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
wrote
> > in message news:#D5dpIb4FHA.3636@TK2MSFTNGP09.phx.gbl...
> >> Why not just create a simple mapping between groups and
> > application-specific
> >> roles and store it in SQL or web.config or whatever? Then you don't
> >> hard-code the groups in your checks, but allow Windows to do the heavy
> >> lifting for you of figuring out your group membership at runtime?
> >>
> >> That is essentially what AzMan is about, although it is significantly
> >> more
> >> capable and includes several additional levels of indirection to
support
> >> more granularity in your authorization (which can lead to better
> >> maintainability if you choose your operations carefully).
> >>
> >> Joe K.
> >>
> >> "Patrick.O.Ige" <patrickige@optusnet.com.au> wrote in message
> >> news:%23FFvhLZ4FHA.1188@TK2MSFTNGP12.phx.gbl...
> >> > Thx Joe for the response.
> >> > Joe i know its like re inventing the wheel.
> >> > But it has been a debate with some other developers and i have been
> > trying
> >> > to explain this.
> >> > They just feel hardcoding the group using IsinRole to perform
> >> > Authorisation
> >> > is not good enough but the funniest thing
> >> > is that even if you use SQL server you would have to right stored
> >> > procedures
> >> > and at the same time mainatain the sync with AD Groups.
> >> > Actually i have come across AzMan and i will get more into it.
> >> > Thx guys..
> >> > If there is more resources out there please do forward them.
> >> > And thanks Jan for the snippet info but it would be nice if you could
> > blog
> >> > that
> >> > or post more tutorials to help give others
> >> >
> >> >
> >> >
> >> >
> >> > "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
> > wrote
> >> > in message news:O#cWjgV4FHA.2872@TK2MSFTNGP15.phx.gbl...
> >> >> If the data is already in AD, what benefit could you get from trying
> >> >> to
> >> > copy
> >> >> it into SQL server? That just sounds like a sync nightmare.
> >> >>
> >> >> It seems relatively straightforward to show and hide menu items
based
> > on
> >> >> calls to IsInRole and just use Windows authentication.
> >> >>
> >> >> I would probably add some sort of mapping layer so you have some
> >> > indirection
> >> >> between the actual groups used to give you some configurability at
> >> > runtime.
> >> >> AzMan is a good framework for this, but you can put something
lighter
> >> > weight
> >> >> together if you don't want to deal with it.
> >> >>
> >> >> Joe K.
> >> >>
> >> >> "Patrick.O.Ige" <patrickige@optusnet.com.au> wrote in message
> >> >> news:OgxH$IS4FHA.3036@TK2MSFTNGP15.phx.gbl...
> >> >> > If i want to generate a menu structure depending on who is logged
in
> >> >> > in an intranet system(using windows authentication) is it better
to
> > use
> >> >> > the
> >> >> > GROUPS in Active Directory
> >> >> > or to move the Active Directory groups into a Sql Server database
> >> >> > and
> >> > base
> >> >> > the authrorization and authentication on the SQL Server
> >> >> > roles/groups?
> >> >> > Whats the best way to make use of the GROUPS in active directory
to
> >> >> > authorize
> >> >> > users apart from using web.config where you have to set it
> >> > configuratively
> >> >> > like below(but i don't want this)
> >> >> > <authorization>
> >> >> > <allow roles="DOMAIN\HRUsers" />
> >> >> > <deny users="*" />
> >> >> > </authorization>
> >> >> > This works if i want to deny users who are not part of the GROUP
> >> >> > "HRUSERS"(Which just denies the URL .aspx page)
> >> >> > Is it possible to store/collect all the Active Directory groups
and
> > use
> >> > it
> >> >> > in code to validate against USERS?
> >> >> > (Apart from storing it in SQL server?)
> >> >> >
> >> >> > or
> >> >> > programmatically by doing :-
> >> >> > If Not (User.IsInRole("HR")) And Not (User.IsInRole("Managers"))
> >> >> > Then
> >> >> > ' Display the Button
> >> >> > Else
> >> >> > ' Don't display it!
> >> >> > End If
> >> >> > The badside to these methods is that if you are calling a method
> >> >> > several
> >> >> > times from different applications, you will need to repeat the
> >> >> > logic
> >> > all
> >> >> > the time. How can i do it declaratively using Active Directory.
> >> >> > I know if i use a database with stored procedures that would be a
> >> > benefit.
> >> >> > Any thoughts?
> >> >> >
> >> >> >
> >> >>
> >> >>
> >> >
> >> >
> >>
> >>
> >
> >
>
>