i'd like to create a Unique Web Site Administration Tool (UWSAT) to admin all users for all my websites on production server.
Basically the idea is to have the UWSAT with only an admin user; when the admin log the tool he could navigate the applications, select one and see its users . He could add new user to an existing application, or create a user specifying a new application name (as far as i know that create the application too).
The problem i'm facing is that to add a user to an application i have to set the Membership.ApplicationName but i read this should be avoided.
So i ask you : should i create a different MembershipProvider for each application and call it when i have to manage users for that application?
Thanks.
I recommend creating a role, and assigning it to the users. The role would be the application they should have access to.
The RoleProvider is one way to do this.
Related
If I use windows authentication inside an asp.net mvc web project , I will not get any membership database, unlike form based authentication . But I can still use Roles. So i have the following questions:-
So where are these roles managed, and how I will be assigning users to roles when using windows authentication ?
are these roles managed and created only inside Active directory ? and if I want to add a user to specific role, I will be doing this inside the active directory ?
so can anyone advice ?
Edit
Now if i understand your point well, let say that i want to restrict calling an action method to only our company admininstrators. where currently inside active directory we have a group of users named "OurCompanyAdminsitrators"
so let say i create a new asp.net mvc5 web project , and i specify to use Windows authentication , then inside my action method i wrote the following:-
[Authorize(Roles = "OurCompanyAdminsitrators")]
will asp.net mvc5 recognize the OurCompnayAdministrators user group ? or i need to do extra work for my asp.net mvc web project to be able to read and check against the active directory groups ?
I think there are many ways to approach this, 2 I can think of off the top of my head:
Use Active Directory to manage your roles and add users to the Active Directory groups as required. You can then access them through the users Identity in which you can get from the http context.
Create a separate service/component to manage the security for you where you map user credentials to roles that you define yourself completely away from AD. Obviously there is more of a time investment here and you will need to duplicate some information.
We can use SimpleMembership provider. "SimpleMembership: The future of membership for ASP.NET".
http://weblogs.asp.net/jongalloway//simplemembership-membership-providers-universal-providers-and-the-new-asp-net-4-5-web-forms-and-asp-net-mvc-4-templates
http://www.codeproject.com/Articles/689801/Understanding-and-Using-Simple-Membership-Provider
http://www.mono-software.com/blog/post/Mono/226/Adding-ASP-NET-SimpleMembership-to-an-existing-MVC-4-application/
Edit:
We can use SqlRoleProvider.
http://msdn.microsoft.com/en-us/library/system.web.security.roleprovider.aspx
http://weblogs.asp.net/scottgu/Recipe_3A00_-Implementing-Role_2D00_Based-Security-with-ASP.NET-2.0-using-Windows-Authentication-and-SQL-Server
We are using Plone 4.2.2 and we would like to delegate user account/group creation and managing local roles on content to our tier 1 helpdesk folks. We initially thought to use the Site Administrator role and just add the Site Setup Overview and Site Setup Users and Groups permissions. This allows them to create users and groups, but they don't have access to the sharing tab to manage local roles on folder and file objects.
I'm not finding much help out there and this seems like it would be a fairly common delegation. In fact, I'm surprised there isn't a role specifically for this. Giving Manager role to our tier 1 is a little scary.
Any suggestions would be greatly appreciated.
I found this thread that referenced Managing Users, but not the local roles on content
How to create a Plone 4 group who's sole purpose is to manage users?
The access to the sharing tab is only about permission.
You must give to your users the "Sharing page: Delegate roles" and all needed permission named "Sharing page: Delegate XXX role".
But to be honest I think that the Site Administrator role already have all those power you need.
What I would do is that instead of using the normal Plone user manager I'd
write a custom, simplified, user management form in Python add-on
form does sanity checks by allowing creating only of certain kind of users with certain roles
form also can delegate setting local roles on folders programmatically (no need to go to Sharing tab)
expose this form through a special new permission
Give the permission for the form to Tier 1 support personnel
As the use case is very specialized it might be easier to write your own manager form than customizing existing Plone logic.
I am just learning the admin side of this in the Web Site Administration Tool, having set up a new project. I have accessed the security panel at the back end, and created an admin role, which is used to access a view through a controller filter. All standard stuff.
However when I try to log in to the front end with this user, it doesn't exist, and I have to create it afresh.
Alternatively when I create a user at the front end, and try to assign him an admin role at the back end it he also doesn't exist.
Only users created at the back end, exist at the back end and can be assigned roles
There seems to be no connection between front end users and back end users. There appears to be two separate databases one holding front end users and one back end users.
Giving a backend user admin rights doesn't seem to work from the front end.
is there some explanation on how this system work around? I have used google without help.
If you're using a standard asp.net mvc 4 application, then yes. This is to be expected.
The reason is that MVC4 by default users a different membership provider called SimpleMembership, and this provider is not compatible with the ASP.NET Configuration utility. That configuration utility uses the old membership provider, which has entirely different tables.
Your options are:
don't use the web configuration utility. Add users manually, or through a script, or maybe create your own admin pages.
Disable simple membership so that MVC uses the old membership system
do something completely different (don't use membership, use a different provider, create your own provider, etc...)
As for a separate database, yes. If you notice, there is no membership configuration in your web.config. Instead, the ASP.NET Congifuration utility uses the default membership configuration that's defined in your machine.config in c:\windows\microsoft.net\framework[64]\config. the default location is a file located in your project directory under the App_Data directory called aspnet.mdf
EDIT:
More information about the new provider here:
http://weblogs.asp.net/jgalloway/archive/2012/08/29/simplemembership-membership-providers-universal-providers-and-the-new-asp-net-4-5-web-forms-and-asp-net-mvc-4-templates.aspx
Also:
http://geekswithblogs.net/Aligned/archive/2012/08/30/mvc-4-authentication.aspx
I'm writing an MVC application, using ASP.Net Membership for security. The application will allow multiple websites to run from the same app and database.
The websites running on the app will be completely independent from each other. The users of those sites will have access to their site only.
If I'm using one web.config, one MVC app and one database, can I achieve site specific security using ASP.NET membership?
Presumably I'll only have one application key so won't be able to use that to differentiate between sites. I thought about using Roles but will be exposing roles to site administrators -- and don't want admins to add / configure roles for a different site to their own users.
This potential problem has only just occurred to me so any help will be greatly appreciated.
You could you have them as sub sites of the main site (with web.config setup there) and therefore, the authentication permeates through the sub-sites.
There is an ApplicationName property that the roles provider uses to filter roles on. Try setting that property before fetching roles.
Something like this should work:
Roles.ApplicationName = "MyAppName";
var authorized = Roles.IsUserInRole("Some.user", "admin");
I haven't tried this, it is a static property and could give you weird results, so be careful. The best way to do this would be to implement your own provider so you could do something like Roles.IsUserInRole("some.user","admin","MyAppName").
In asp.net mvc default application you get he account controller which enable user registration, log in, log out and changing password.
I was wondering is it possible to implement litle more like enabling administrator to delete some user or give some user different roles like in asp.net configuration where you create user, roles and asign roles to users?
I already figured out and extend profile for users, so now they have much more infos and profile picture.
If you have any experience or examples of user management in asp.net mvc.
Although a bit outdated, this project maybe can give you a few hints on how to implement membership administration in ASP.NET MVC:
Asp.Net MVC Membership Starter Kit
Quote
What is the Asp.Net MVC Membership
Starter Kit?
The starter kit currently consists of
two things:
A sample website containing the controllers, models, and views needed
to administer users & roles.
A library that provides testable interfaces for administering users &
roles and concrete implementations of
those interfaces that wrap the
built-in Asp.Net Membership & Roles
providers.
Out of the box, the starter kit gives
you the following features:
List of Users
List of Roles
User Account Info
Change Email Address
Change a User's Roles
Update
For restricting certain operations to specific user roles, you can create these roles using the project I mentioned earlier, and then decorate your own application's controllers and/or actions with an Authorize attribute, referencing the desired roles:
[Authorize(Roles = "Administrator, HR")]
public ActionResult DeleteUser(int UserId)
{
// do something
}
This would prevent users that are not Administrator or HR to delete users.
Here is my try for a reusable user & role management:
https://github.com/Epstone/Simple-MVC-User-Management
If I were you I'd create a Admin "module" which handles all of these things. I don't know of any asp.net documentation on this, but if you look around on PHP documentation (Zend Framework, CakePHP or other) you get the basic ideas of the structures you should use to achieve this. Just remember to keep things seperated, admin stuff goes into a admin module not a user module (but maybe a user controller inside a admin module).
I answered a similar question here:
User Management in ASP.Net MVC 3
This provides you with an MVC 3 Razor based User Management Tool. This does not include Roles, but if you get this far, it should not be real difficult to add them.