Re: VB.NET Role-Based Access



That's why in real applications the PrincipalPermission attribute is rarely used - there are 2 implications

a) attributes are embedded in meta data at compile time - there is no way to make them somehow dynamic at runtime
b) this leads to 2 problems - you have to hardcode domain/machine names - and even BUILTIN\ will not work because those names are localized - and the role check will fail on a non-english Windows

Builtin\Backup Operators (english) == Vordefiniert\Sicherungsoperatoren (german)

Use the attribute only for checking the Authenticated property

For everything else use Thread.CurrentPrincipal.IsInRole (and in 2.0 the overload of WindowsPrincipal.IsInRole that takes SIDs also makes you locale independent)

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

Hi all,

Am trying to implement some security on my program. This program will
be run on a number of machines across the globe. I have created a
number of user groups which contain the access priveleges of the
windows users but as they are not builtin groups I cannot do as below!

<PrincipalPermissionAttribute(SecurityAction.Demand, _
Role := "BUILTIN\Backup Operators")> _
What I need to know is how can I change the Role attribute to look at
my user-defined groups instead of the builtin groups? And as i dont
know the Domains that users are working in, How do I add that to the
attribute???? Really need something like below but it doesnt work:

<PrincipalPermissionAttribute(SecurityAction.Demand, _
Role := "AllowedCreation")> _
Thank you

Dave



.