Active Directory, User Permissions, and .NET?
Active Directory, User Permissions, and .NET?
am 21.04.2008 17:14:04 von Spam Catcher
Hello All,
I need to integrate my application into Active Directory. My application
has the concept of groups, users, and also individual permissions. Users
can be part of a group such as administrators, but explicit permissions may
also be set.
Can active directory handle this too?
For example: Administrators can typically add/remove/edit/delete an item,
but one junior administrator may have delete disabled.
Can active directory handle this? How does one go about loading this
application permissions into AD? What's the best way to integrate into AD?
I know I can use the basic IsInRole check, but would this neccessitate lots
of roles (one for each explicit permission)?
Any tutorials providing a comprehensive overview of Active Directory would
be great.
Thanks!
--
spamhoneypot@rogers.com (Do not e-mail)
Re: Active Directory, User Permissions, and .NET?
am 21.04.2008 17:40:28 von Andy
Active Directory does not delegate permissions. Instead, its role is
only to confirm the identity of a user to your program.
It is up to your program to decide what kind of permissions to give to
a user once active directory has told your program who your user is.
Typically, this is done through a linked list implemented by your
program. You can see examples of this in SQL Server (you specify
active directory users in the security Logins and Roles lists, and
then assign specific access rights to each listed user in these lists)
and in sharepoint (you specify active directory users through
sharepoint screens and then indicate whether they are readers,
contributors, etc). In both cases, permissions are stored and granted
by each application and not active directory.
Re: Active Directory, User Permissions, and .NET?
am 21.04.2008 18:17:51 von willy.denoyette
"Spam Catcher" wrote in message
news:Xns9A87724C6B0CFusenethoneypotrogers@127.0.0.1...
> Hello All,
>
> I need to integrate my application into Active Directory. My application
> has the concept of groups, users, and also individual permissions. Users
> can be part of a group such as administrators, but explicit permissions
> may
> also be set.
>
> Can active directory handle this too?
>
> For example: Administrators can typically add/remove/edit/delete an item,
> but one junior administrator may have delete disabled.
>
> Can active directory handle this? How does one go about loading this
> application permissions into AD? What's the best way to integrate into AD?
>
> I know I can use the basic IsInRole check, but would this neccessitate
> lots
> of roles (one for each explicit permission)?
>
> Any tutorials providing a comprehensive overview of Active Directory would
> be great.
>
> Thanks!
>
> --
> spamhoneypot@rogers.com (Do not e-mail)
You can use the AD to be used as a centralized policy store that holds
authorization policy for one or more applications.
Start here:
http://msdn2.microsoft.com/en-us/library/aa480244.aspx
to get an idea how you can use Authorization Manager as an high-end
authorization solution for .NET and native COM based applications.
Willy.
Re: Active Directory, User Permissions, and .NET?
am 21.04.2008 20:11:16 von Spam Catcher
"Willy Denoyette [MVP]" wrote in
news:uvo9At8oIHA.552@TK2MSFTNGP06.phx.gbl:
> You can use the AD to be used as a centralized policy store that holds
> authorization policy for one or more applications.
> Start here:
> http://msdn2.microsoft.com/en-us/library/aa480244.aspx
> to get an idea how you can use Authorization Manager as an high-end
> authorization solution for .NET and native COM based applications.
Thanks - I'll take a look at AzMan.
Do you have any experience with AzMan? Is it suitable for use in
redistributable applications? What I means is are the policies easily
packaged for deployment?
Also is the API for AzMan easy to use?
Thanks!
--
spamhoneypot@rogers.com (Do not e-mail)
Re: Active Directory, User Permissions, and .NET?
am 21.04.2008 21:24:16 von willy.denoyette
"Spam Catcher" wrote in message
news:Xns9A8790594E32Dusenethoneypotrogers@127.0.0.1...
> "Willy Denoyette [MVP]" wrote in
> news:uvo9At8oIHA.552@TK2MSFTNGP06.phx.gbl:
>
>> You can use the AD to be used as a centralized policy store that holds
>> authorization policy for one or more applications.
>> Start here:
>> http://msdn2.microsoft.com/en-us/library/aa480244.aspx
>> to get an idea how you can use Authorization Manager as an high-end
>> authorization solution for .NET and native COM based applications.
>
> Thanks - I'll take a look at AzMan.
>
> Do you have any experience with AzMan? Is it suitable for use in
> redistributable applications? What I means is are the policies easily
> packaged for deployment?
>
Well, it depends on what kind of store you are looking for and what you mean
exactly with "packaged for deployment".
The easiest AZRoles store to deploy is the XML file type , which can be used
as policy store to describe all tasks/roles etc for an application or a
group of applications. But in general you shouldn't use this kind of store
other than for prototyping and development.
All other store types (SQL Server, ADAM, AD) can de created/updated at
deployment time from code (script or other) using the AzMan API's.
> Also is the API for AzMan easy to use?
>
Please define "easy".
All AzMan's functionality is exposed as a set of COM interfaces.
You can use these from scripting clients like VBScript and JScrip as well as
from higher level languages like VB6, C#, VB.NET, C++ etc..
The exposed interfaces can be used for both "administration" and
"programming". That means that there is a set for administration, while an
other set is meant for "application development".
Note that AzMan is only available on W2K and XP (as redistributable) and
W2K3 and higher (as part of the OS), note also that Vista and higher include
some additional functionality.
Willy.