Roles.. any ideas?

Roles.. any ideas?

Old forum URL: forums.lhotka.net/forums/t/4854.aspx

ajj3085 posted on Thursday, May 15, 2008

Hi,

I currently have my application setup and built on Csla, and using WindowsAuthentication.  For security checks, I simply do an IsInRole call on the Identity.  The role permissions are hard-coded, something like this:

private static string[] allowedReadRoles = new string[] { "Sales", "Ordering" };

I now need to brand my application, and while the roles will remain the same, the problem is that IsInRole is functioning via group membership.  The branding will be for other companies, which are owned by the same owners, and use the same office buildings, network and computers are the main company (the other companies have less than 10 people).

So, adding the users for Company B to existing groups isn't really an option... they'd have access to the application for Company A.  I guess one option is to switch to Csla authentication, but I'm currently using Integrated Authentication for the remoting portal as well as database connections, so I'm not sure that will work since I think I need the WindowsPrincipal on the current thread for IA to work properly (or am I mistaken?).

Any other ideas?  Has anyone used Authentication Manager, which allows you to define real roles, not AD Groups?

Thanks
Andy

sergeyb replied on Thursday, May 15, 2008

Just a thought.  My current app is using integrated windows authentication for SQL server and remoting portal, while using CSLA custom principal as user in application context.  So, you should be able to do the same.  On the other hand, you could create new AD groups to replace the old ones that will contain users from companies A and B, while users of company A will retain membership in old groups as well.  That way, you can stay with Windows authentication and just replace group names.

 

Sergey Barskiy

Senior Consultant

office: 678.405.0687 | mobile: 404.388.1899

cid:_2_0648EA840648E85C001BBCB886257279
Microsoft Worldwide Partner of the Year | Custom Development Solutions, Technical Innovation

 

From: ajj3085 [mailto:cslanet@lhotka.net]
Sent: Thursday, May 15, 2008 1:28 PM
To: Sergey Barskiy
Subject: [CSLA .NET] Roles.. any ideas?

 

Hi,

I currently have my application setup and built on Csla, and using WindowsAuthentication.  For security checks, I simply do an IsInRole call on the Identity.  The role permissions are hard-coded, something like this:

private string[] allowedReadRoles = new string[] { "Sales", "Ordering" };

I now need to brand my application, and while the roles will remain the same, the problem is that IsInRole is functioning via group membership.  The branding will be for other companies, which are owned by the same owners, and use the same office buildings, network and computers are the main company (the other companies have less than 10 people).

So, adding the users for Company B to existing groups isn't really an option... they'd have access to the application for Company A.  I guess one option is to switch to Csla authentication, but I'm currently using Integrated Authentication for the remoting portal as well as database connections, so I'm not sure that will work since I think I need the WindowsPrincipal on the current thread for IA to work properly (or am I mistaken?).

Any other ideas?  Has anyone used Authentication Manager, which allows you to define real roles, not AD Groups?

Thanks
Andy


ajj3085 replied on Thursday, May 15, 2008

Ahh... well that will make things simpler then, if I can use CslaAuth and still have the Windows auth.

Thanks
Andy

ajj3085 replied on Thursday, May 15, 2008

Hmm... I started looking into this, and the downside is that I need to manage role membership in two places, since I use the Windows Groups to map into database roles to control access to views / stored procedures.

sergeyb replied on Thursday, May 15, 2008

Yep.  You can just create new groups specifically for your CSLA app, and just change all the existing roles to new groups.

 

Sergey Barskiy

Senior Consultant

office: 678.405.0687 | mobile: 404.388.1899

cid:_2_0648EA840648E85C001BBCB886257279
Microsoft Worldwide Partner of the Year | Custom Development Solutions, Technical Innovation

 

From: ajj3085 [mailto:cslanet@lhotka.net]
Sent: Thursday, May 15, 2008 4:13 PM
To: Sergey Barskiy
Subject: Re: [CSLA .NET] RE: Roles.. any ideas?

 

Hmm... I started looking into this, and the downside is that I need to manage role membership in two places, since I use the Windows Groups to map into database roles to control access to views / stored procedures.


smiley riley replied on Friday, May 16, 2008

ajj3085:
Hi,

I currently have my application setup and built on Csla, and using WindowsAuthentication.  For security checks, I simply do an IsInRole call on the Identity.  The role permissions are hard-coded, something like this:

private static string[] allowedReadRoles = new string[] { "Sales", "Ordering" };

I now need to brand my application, and while the roles will remain the same, the problem is that IsInRole is functioning via group membership.  The branding will be for other companies, which are owned by the same owners, and use the same office buildings, network and computers are the main company (the other companies have less than 10 people).

So, adding the users for Company B to existing groups isn't really an option... they'd have access to the application for Company A.  I guess one option is to switch to Csla authentication, but I'm currently using Integrated Authentication for the remoting portal as well as database connections, so I'm not sure that will work since I think I need the WindowsPrincipal on the current thread for IA to work properly (or am I mistaken?).

Any other ideas?  Has anyone used Authentication Manager, which allows you to define real roles, not AD Groups?

Thanks
Andy

The correct way for you to approach is is by adding another layer on top of your roles!!!

However a quick way around this problem for you is rather than using a static array of strings to hold your allowed roles create a Flags Enum of permissions and add Company A and Company B as options. You will then be able to assign company A / B as AD groups along with permissions. Then using bitwise operations you should be able to do what you are trying to do.

So when you load the roles, you add each to an enum using the following. You must ovveride the default is inrole along these lines

bool IsInRole(PermissionsEnum role)

{

if ((roles & role) == role)

return true;

else

return false;

}

PermissionsEnum permissions = PermissionsEnum.CompanyA | PerissionsEnum.Sales

Then to determine  roles

if( identity.isinrole( PermissionEnum.sales)

{

//do general sales stuff

if( identity.isinrole( PermissionEnum.CompanyA)

{

Do specific company A sales stuff

}

}

Don't know if this helps you at all.

 

SeVa replied on Friday, May 16, 2008

NetSqlAzMan: It's .NET 2.0. It's equipped by a MMC 3.0 (.NET) console. Its storage is a Sql Server database(2000/MSDE/2005/Express). It's Item-based. Structure based on Roles -> Tasks -> Operations. (all hierarchical ones). Authorizations can be added to Roles, Task and Operations. It supports static/dynamic applicative groups, members/not-members. LDAP query testing directly from console. It's time-dependant. It's delegate-compliant. It triggers events (ENS). It supports 4 authorization types: Allow with delegation (authorized and authorized to delegate). Allow (authorized). Deny (not authorized). Neutral (neutral permission, it depends on higher level Item permission). Hierarchical authorizations. It supports Scripting / Biz rules (compiled in .NET - C# - VB - and not interpreted) It supports Active Directory users/groups and custom users defined in SQL Server Database.

ajj3085 replied on Friday, May 16, 2008

I'm still trying to wrap my head around AzMan too...  I was hoping I wouldn't have to change much of my code.. so that IsInRole still worked on the IPrincipal just as it does now, just that Azman would be thrown in there and put actual Roles in, not just Windows Groups.

The trick is that this application really is just being branded.  I deploy it to a different location for installation and so the config file settings are different (we are using seperate but identitally structured databases).  So that's another sticking point... I'm not seeing how I can differentiate between a Company A instance vs. a Company B one.. since things like the Title bar get a different string so it says Company A Sales vs. Company B Sales... and has a way to reskin the application..  but otherwise there's no branching logic between one company or another.  It's just cosmetic / configuration setting differences, and the code to accomdate those.

ajj3085 replied on Friday, May 16, 2008

I think this is what I'm going to do.. any comments appriciated.

I have a helper class already, Permissions which takes the roles array and loops calling IsInRole for each string.  Nothing fancy. 

My thinking is to add an object which stores role mappings (which will be the strings hardcoded already, and which map directly to group names) to groups... so that a role doesn't necessarly map one to one to any group, or need to be the same name.

I still have the downside that whenever I create a new role, I'll have to add it to tables in several databases.. but I think this will require the least amount of code changes, and is thus the safest route to go.

Anyone see any problems?

Copyright (c) Marimer LLC