My ASP.NET application is Membership enabled and users with Administration Role can create other user with different roles.
Is there an way that i can maintain an audit log of user creation, so i can keep a track that which Administrator created which user.
Thanks in advance.
Sure the framework uses a stored procedure (forget the exact name, but it's named appropriately). In that proc, add an insert to insert an audit record.
Related
I'm wondering how to solve the following issue:
I have a web asp.net app where Forms Authentification is used, connected to the Active Directory. Also, I have a connection string to MS SQL db in the web app, where one global user (with given privileges) is used. The problem is that when I want to store information about the user (e.g. data modification log) in database, I can only get the global user info provided in the connection string, not the real user who is logged in.
Is there any possiblity to log onto a web app with my personal credentials, after, use a global user credentials to connect into the database and pass my personal user credentials (but not as parameters in store procedure) that database will think that the user who is logged in is not the global user?
I assume, it might be only possible if I also create same users in the database and use Impersonalization?
Or any other possibillities?
Thanks in advance.
What are you doing to get the current user? Are you doing something like SELECT #user = SYSTEM_USER? This will obviously only return the user that you connect to SQL Server with.
I would rather keep to using a single SQL login that the application uses, but pass in the username when you are making changes, e.g. through a sproc or a table update:
CREATE PROCEDURE dbo.DoSomething
#id INT,
#username VARCHAR(50)
AS
-- Make your changes.
INSERT INTO dbo.[Audit] SELECT 'update', #id, #username
GO
In ASP.NET you can grab the currently logged in user through User.Identity.Name property of the page.
You could use a role within your database to handle permissions, and then get the users you need in a group in AD, and assign permissions to that AD group to access your database under the role you define. (This way you don't need to assign each user to your database as you create them).
You would then use windows authentication right the way through from your web site to the database, and have the user identity that you need for logging. (You'll need to set identity impersonate="true" in your configuration).
I would note that this is only going to work (easily) if your servers and your users are all on the same network.
I havent worked on ActiveDirectory Membership provider earlier, I have a doubt on creating an application using AD membership provider. If I need to foreign reference a user in a different table(lets say a custom role table ) then what primary identifier(Foreign key) should I use to identify the user in the the table which holds the relation of Role and the users.
Also , where is the additional information(other than AD details) about the user is stored like User Name, Department, Current project etc.
Is a snapshot of Active directory taken frequently and stored in a table in the database which is then used in sql joins?
The base membership provider (and derived providers such as the ActiveDirectoryMembershipProvider) uses UserName as a functional key (queries for members expect UserName as the key query parameter and return a single MembershipUser object). Those queries return MemberShipUser objects that have basic membership information—including roles, email, comments, etc. If you want to combine the ADMembership Provider with extra information, you're best off using the UserName as the key to do so. Storing extra data is easier if you use a database because .UpdateUser only commits Email, Comment, and IsApproved properties.
And no, snapshots are not taken, though you can enable caching if you wish. The provider queries AD directly when it needs the information.
The aspnet membership database when created resides in App_Data folder and is quite handy as it supports all the Login controls very well. The user roles can be very well managed by the aspnet configuration manager. The profile properties are managed all by the the database itself.
The database thus created can be seen in the server connections. If you analyze the datatbase you will see that every user has a specific userId apart from the username. Both of them are unique. You need not copy all user data in other tables. You can specify the related data using joins. Once a user is logged in, you can refer him/her by User.Identity.Name (c#) in your code behind.
Kindly view the database tables using the Server Explorer in Visual Studio and you can view the tables structures -- aspnet_Users, aspnet_Membership, aspnet_Profile etc...
I'm making a small portal in ASP.net (with C#.net4) where users can login and add, edit their personal information (PI). But I don't get how to load information (stored in a SQL server DB) in the page when a specific user is logged in.
For example: If Sam is logged in, he can view his PI. When Vicky is logged in, she can view her PI.
who can help me with this?
thanks in advance.
You need to retain the ID of the logged in user in a session variable and then use it to filter the query with which you fetch each user's info.
So if a user's ID is 278 then your query would run as:
SELECT first_name, last_name, * FROM user_table WHERE user_id = 278
From a session variable stored like:
Session["UserId"] = currentUserId;
The ASP.NET membership provider has already taken care of this for you. Have you considered using it? You can manage all of your authentication, permissions, roles, and access/edit profile information -- which you define. You access the data via the membership objects, and you won't need to write a single line of SQL to do it. It will save you loads of work instead of trying to reinvent the wheel.
Use the regular membership as described in the other answers. Then leverage the Profile system so that each user can view/edit their info when logged in (per the question). CAVEAT: ASP.NET profile system only works out of the box with the Website project template. If you want to use the Web Application project template, then follow the steps here:
ASP.NET: Web Site versus Web Application Project
When you have the profiles up and running, the profile data can be stored in session objects while the user is logged in.
I am trying to find a way to handle two types of users for an intranet system. There are users who login and there are those who do not. I need to store both types of users in the membership db. Does anyone have a common solution to this problem?
This is for an event booking system. The users who are in AD will see the app. We need to store the O/S Name along with a few other attributes from AD in our membership db. The O/S Name gets captured using the Request.ServerVariables(). We need to store those "requester" details along with other details about the event that is being booked.. In addition to those users, there are users that actually log into the system. I was hoping to store both types of users in the membership db, so that when an event is retrieved, the user details will get retrieved from the membership db as wel
If you can use 'Integrated Windows Authentication' you have access to some information about the user connecting to your system.
Therefore you could use this information for the general case, without the login.
If a user then want's more access, he can logon to the site with a special username/pwd.
A membership DB would typically restrict access to a set of users for a particular application on an Intranet site. Only those who are in Active Directory as network users would even see the Intranet in the first place. And only a subset of those network users who have been granted privileges for your application in its membership system would see the link and/or be able to gain access in one role or another. Can you be a little more specific with respect to what you are trying to achieve? :-)
I always wonder what are the exact access rights and permissions I need to give to a sql login which I use from my asp.net application to access database. The application execute some stored procedures which insert, update and delete data into tables. I do select, delete, update directly on the tables also. Also there are some triggers.
Wonder if there is a comprehensive list of the permission matrix to help.
Well, it depends on how complicated you want to make it :-)
Simplest solution:
make your login / db user have the db_datareader role to read all tables
make your login / db user have the db_datawriter role to write all tables
As for executing stored procs, what we did is create a new custom database role "db_executor" in our database like this:
CREATE ROLE [db_executor] AUTHORIZATION [dbo]
GRANT EXECUTE TO [db_executor]
and then we grant this role to the db user as well. This new custom database role will have execute rights on all existing AND on all future stored procs/funcs in your database.
With this, your db user can read and write any table and execute any stored proc and stored func.
More complex solution:
You can of course also GRANT permissions on individual tables, views, procs, funcs to inidividual db users and/or db roles. But it can get quite messy and complicated.
Marc