Active Directory, User Permissions, and .NET?

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Spam Catcher
    #1

    Active Directory, User Permissions, and .NET?

    Hello All,

    I need to integrate my application into Active Directory. My application
    has the concept of groups, users, and also individual permissions. Users
    can be part of a group such as administrators, but explicit permissions may
    also be set.

    Can active directory handle this too?

    For example: Administrators can typically add/remove/edit/delete an item,
    but one junior administrator may have delete disabled.

    Can active directory handle this? How does one go about loading this
    application permissions into AD? What's the best way to integrate into AD?

    I know I can use the basic IsInRole check, but would this neccessitate lots
    of roles (one for each explicit permission)?

    Any tutorials providing a comprehensive overview of Active Directory would
    be great.

    Thanks!

    --
    spamhoneypot@ro gers.com (Do not e-mail)
    Tags: None
    • Andy
      #2
      Re: Active Directory, User Permissions, and .NET?

      Active Directory does not delegate permissions. Instead, its role is
      only to confirm the identity of a user to your program.

      It is up to your program to decide what kind of permissions to give to
      a user once active directory has told your program who your user is.

      Typically, this is done through a linked list implemented by your
      program. You can see examples of this in SQL Server (you specify
      active directory users in the security Logins and Roles lists, and
      then assign specific access rights to each listed user in these lists)
      and in sharepoint (you specify active directory users through
      sharepoint screens and then indicate whether they are readers,
      contributors, etc). In both cases, permissions are stored and granted
      by each application and not active directory.

        Comment

        • Willy Denoyette [MVP]
          #3
          Re: Active Directory, User Permissions, and .NET?

          "Spam Catcher" <spamhoneypot@r ogers.comwrote in message
          news:Xns9A87724 C6B0CFusenethon eypotrogers@127 .0.0.1...
          Hello All,
          >
          I need to integrate my application into Active Directory. My application
          has the concept of groups, users, and also individual permissions. Users
          can be part of a group such as administrators, but explicit permissions
          may
          also be set.
          >
          Can active directory handle this too?
          >
          For example: Administrators can typically add/remove/edit/delete an item,
          but one junior administrator may have delete disabled.
          >
          Can active directory handle this? How does one go about loading this
          application permissions into AD? What's the best way to integrate into AD?
          >
          I know I can use the basic IsInRole check, but would this neccessitate
          lots
          of roles (one for each explicit permission)?
          >
          Any tutorials providing a comprehensive overview of Active Directory would
          be great.
          >
          Thanks!
          >
          --
          spamhoneypot@ro gers.com (Do not e-mail)


          You can use the AD to be used as a centralized policy store that holds
          authorization policy for one or more applications.
          Start here:
          Developing Applications Using Windows Authorization Manager
          http://msdn2.microsoft.com/en-us/library/aa480244.aspx

          to get an idea how you can use Authorization Manager as an high-end
          authorization solution for .NET and native COM based applications.

          Willy.

            Comment

            • Spam Catcher
              #4
              Re: Active Directory, User Permissions, and .NET?

              "Willy Denoyette [MVP]" <willy.denoyett e@telenet.bewro te in
              news:uvo9At8oIH A.552@TK2MSFTNG P06.phx.gbl:
              You can use the AD to be used as a centralized policy store that holds
              authorization policy for one or more applications.
              Start here:
              Developing Applications Using Windows Authorization Manager
              http://msdn2.microsoft.com/en-us/library/aa480244.aspx

              to get an idea how you can use Authorization Manager as an high-end
              authorization solution for .NET and native COM based applications.
              Thanks - I'll take a look at AzMan.

              Do you have any experience with AzMan? Is it suitable for use in
              redistributable applications? What I means is are the policies easily
              packaged for deployment?

              Also is the API for AzMan easy to use?

              Thanks!

              --
              spamhoneypot@ro gers.com (Do not e-mail)

                Comment

                • Willy Denoyette [MVP]
                  #5
                  Re: Active Directory, User Permissions, and .NET?

                  "Spam Catcher" <spamhoneypot@r ogers.comwrote in message
                  news:Xns9A87905 94E32Dusenethon eypotrogers@127 .0.0.1...
                  "Willy Denoyette [MVP]" <willy.denoyett e@telenet.bewro te in
                  news:uvo9At8oIH A.552@TK2MSFTNG P06.phx.gbl:
                  >
                  >You can use the AD to be used as a centralized policy store that holds
                  >authorizatio n policy for one or more applications.
                  >Start here:
                  >http://msdn2.microsoft.com/en-us/library/aa480244.aspx
                  > to get an idea how you can use Authorization Manager as an high-end
                  >authorizatio n solution for .NET and native COM based applications.
                  >
                  Thanks - I'll take a look at AzMan.
                  >
                  Do you have any experience with AzMan? Is it suitable for use in
                  redistributable applications? What I means is are the policies easily
                  packaged for deployment?
                  >
                  Well, it depends on what kind of store you are looking for and what you mean
                  exactly with "packaged for deployment".
                  The easiest AZRoles store to deploy is the XML file type , which can be used
                  as policy store to describe all tasks/roles etc for an application or a
                  group of applications. But in general you shouldn't use this kind of store
                  other than for prototyping and development.
                  All other store types (SQL Server, ADAM, AD) can de created/updated at
                  deployment time from code (script or other) using the AzMan API's.

                  Also is the API for AzMan easy to use?
                  >
                  Please define "easy".
                  All AzMan's functionality is exposed as a set of COM interfaces.
                  You can use these from scripting clients like VBScript and JScrip as well as
                  from higher level languages like VB6, C#, VB.NET, C++ etc..
                  The exposed interfaces can be used for both "administration " and
                  "programmin g". That means that there is a set for administration, while an
                  other set is meant for "applicatio n development".

                  Note that AzMan is only available on W2K and XP (as redistributable ) and
                  W2K3 and higher (as part of the OS), note also that Vista and higher include
                  some additional functionality.

                  Willy.



                    Comment

                    Previous template Next
                    Working...