How to implement roles in ASP.NET using existing AD groups - asp.net

I'm trying to implement some role-based functionality in my web application (.NET 4.0.3) so that I can control what menu items users can see based on their roles, either Administrator or User.
I'm simply using existing AD groups to administer the roles. Let's say there is a team in my organisation that is represented by an AD group called IT-Managers, and there is another team with AD group IT-Support. I simply want to map IT-Managers as Administrator and IT-Support as User.
I can easily use WindowsPrincipal.IsInRole() to check whether the currently logged-in user belongs to either group, but how do I tell the application that the logged-in user holds the Administrator role or the User role, therefore sitemap security trimming can pick this up?

By implementing your custom Role Provider. Once implemented you can easily use the ASP.NET role provider framework....
Roles.IsUserInRole("Admin");
Roles.GetUsersInRole("Users");
etc.
You can implement a Role Provider by implementing the RoleProvider abstract class or by extending an existing one such as SqlRoleProvider. There's a lot of extensive documentation out there. I'll paste a couple of links
http://msdn.microsoft.com/en-us/library/aa478950.aspx
http://www.codeproject.com/Articles/28546/Active-Directory-Roles-Provider

Related

Creating my custom security role and custom user group tables, to implement custom authorization for my asp.net mvc web application

I am working on an Intranet Asp.net mvc with windows authentication enabled. I am building an asset management application, and I need to define user groups and security roles. For example I have a group that contains senior HR employees; this group will be linked to a security role. The security role will allow for example to add new vehicles, but only allow reading the information about IT assets such as PC, etc.
But since I am working on intranet and the users exists in the Active Directory, and I want to link the user groups to customize security role. So is it a recommended approach to use my own userGroups table and securityRole table to store the information about the user groups and their security roles.
Currently I only use the users from AD , but stores the info about user groups and security roles inside my custom tables. As this will give me more flexibility of implementing the requirements, OR it is recommended to use the build-in groups and role management that comes with asp.net?
Thanks
If the ability exists to maintain the active domain groups there is no reason to maintain a local groups table isinrole can be used for group access checks

How To Programmatically Add OpenID Users To Plone Site

I need to give roles (including the Member role), memberdata, and user folders to certain OpenID users before they first log in to my Plone site. That is, I need to programmatically add OpenID users to my Plone site. portal_registration.addMember cannot add an OpenID user. plone.openid has its own PAS plugin which does not create member objects. What do I do that is replicable in a setuphandler? The usual way to do this is to manually log in the OpenID user, then add roles, memberdata, and sharing after the login. Howwever, that user story is not programmatically replicable.
The only thing that should matter is the user id generated for each user. It should be possible to just create regular members beforehand with user ids matching the open id identity urls, assing them roles and then use openid (only) as an alternative authentication method for those users.
Update: As Chris commented below, it's not possible to add users with URL as their id through Plone UI, but they must be created directly into PAS users folder through ZMI (Zope Management Interface).

How to assign users the security roles associated with Active Directory

I have a different access role for each of the pages in my application (using Windows Authentication) to restrict users from access, using SqlRoleProvider. So to add users to role, I would go,
Roles.AddUserToRole(userName, roleName);
Now, I need integrate the company's AD groups into my application, such that each AD groups will be assigned these access roles as well, and users part of a certain AD group will automatically "inherit" the roles.
My questions are:
Can I continue to use my SQL tables like aspnet_Users, aspnet_Roles etc?
How do I go about integrating AD groups? And how do I assign roles to AD groups? (So far, I can check all the AD groups a user is part of using Directory Entry).
As a user logs in to the application using Windows Authentication, after I check that they are part of a particular AD group, how do I "give" or "assign" them the roles as per AD group?
Would deeply appreciate your help with these questions.
The AD ASP.NET Membership and Roles system ties directly into AD, your database tables are ignored. An AD Group becomes an ASP.NET Membership Role.
The rest of my post is concerned with applications modifying AD groups directly:
You can, with great difficulty, but in that case it is not recommended.
Active Directory group membership is assigned by another user who is a member of the Domain Admins group, or is delegated the permission to assign users to other groups.
In order to do this from code (using ADSI) your program would then need to run under (or use an impersonation token of) a user identity that is a member of the Domain Admins group or is delegated that user right.
...this means that your program is suddenly trusted with an ability that if hacked or abused, can wreck havok in your security domain. I do not recommend doing this.
Documentation is available on MSDN: http://msdn.microsoft.com/en-us/library/windows/desktop/aa706022%28v=vs.85%29.aspx

ASP.NET Custom Role Provider - Additional Fields

I am faced with a security model problem when migrating my code to ASP.NET.
In the application:
There are multiple roles. (Role A, Role B etc)
There are multiple input/output fields. (Field A, Field B etc)
There are multiple permission levels controlling access to each field. (Read, Direct Edit, Edit With Approval, None)
Each role has its own permissions to fields. (Role A has Read Permission to Field A; Role B has Direct Edit permission to Field A etc)
Every role can be assigned to users and they are assigned by Geographic information. (User A is assigned to Role A for Continent: Europe - Country: Germany; User B is assigned to Role A for Continent: Europe - Country: France; User A is assigned to Role B for Continent: Europe - Country: France etc)
Users can have multiple roles
User identity is coming from Windows Authentication.
So my question/problem is: is it possible to represent this type of kind of multi-layered security model using ASP.NET internal membership/role providers?
If so, what should my starting point be? Creating only custom role provider with custom methods and fields be enough?
Even with the built in features of ASP.NET, the Membership Provider, and user controls, you will still have to write and manage the custom behaviors and interactions.
As example, the Membership Provider has easy ways for your to create roles and check for the existence of roles. But you will have to create the business specific dashboard call the features of the API that are appropriate to expose for your application. As example, at many of the organization that I have worked with role creation was a database only activity. User controls or site behaviors based on role were a code only activity. Managing which roles were assigned to users was a feature exposed via an admin page in the application. If a need for a new role was identified, it had to be first created by a DBA, then code/controls that were responsive to that role had to be written. After these items were deployed, application administrators could assign or remove roles to users.
To address you comment to your question, if you have Europe_Germany_RoleA, the Membership API provides methods for you to create that role, map it to a user, and to check for its existence on a particular user. like...
if(User.Roles.Contains("Europe_Germany_RoleA")) {
//your code here
}
but you would need to map that particular role to information or features specific to your application.
In retrospect, maybe what you really want to look at is the Profile Provider. Still part of the Membership set (Membership, Roles, Profiles), it is more designed to carry information. You could customize the Profile object to meet the needs of your application. For example, if you looked at this as Sectors (for lack of a better term) that could be loaded when the user logged in, you could do queries like...
if(Profile.Sectors.FirstOrDefault(sd=> sd.Name == "Europe_Germany_RoleA") != null) {
//bind to a grid, show a control, do something significant
}
and that might fit your problem better. Roles are truly only meant to act as flags (Does he have this role or not, then do something or dont), but the Profile object is designed to be customized to carry pertinent data for a user.
You can always extend it. The ASP.NET Membership model uses GUIDs as IDs for users and roles. You can add new tables that represent the added functionality and have them reference the original Membership tables.
Your problem is not in the role provider, or the membership system. This system is suitably flexible enough for your needs, and allows you to assign multiple roles to individual users. You can either use a SQL table to store these roles, or you can use Active Directory, AD is probably easier to manage the users with.
Your primary problem is going to be how you assign permissions to the fields and other objects. This means you can't just use standard drag and drop web forms, but will have to build your fields dynamically.
It's easy enough to check whether a user is in a role, this is a one-line call. But, your roles will likely not be hard coded, so you need a way to store fields and the roles associated with them, and a way to build the fields based on the users privileges.
EDIT:
Another option is to build the forms as if there was no security, then in your pre-render event go through and apply your security to each field, disabling and/or hiding fields you don't want the users to see. This may require relaying out the fields if you choose to hide them.

Web application role management

I am new to asp.net and developing an application where there will be some roles like (admin, entry user, maker, checker) one user can have all or can have partial roles based on the provided roles and the page should restrict functionality based on the user role.
What is the best way of implementing it without memberships in asp.net ..
thanks
How can define a role without membership? You have to know who they are in order to get their role, otherwise there is no point.

Resources