The Hoju Saram

Monday, January 08, 2007

.Net User Managable Access Control with AD User and Group Support.

For all articles relating to Domino to .Net conversion please see this post

Previously I posted about extending the SQLRoleProvider to allow for the use of AD groups.

This by itself is not that useful, so I have now created a project that uses this to show how to create a system for User-Managable Access Control with AD User and Group Support.

I have a zipped copy of this project available for dowload here.

The features that is project provides are:

  • SQL Roleprovider that supports AD group membership to determine application roles.

  • Access Control page to support the administration of users and groups and granting them application roles.

  • AD Search system to allow for the easy look-up of users and groups in the Active Directory and add them to the Access Control List

By using this system you can allow a specific group of users to manage access to the .net application themselves, as it supports AD group membership then the Access Control is very easy to use.

A couple of screen shots of the system in action are below.

Access Control List

Roles Tab

Searching Active Directory

To set it up you will firstly need to download the project, then install the standard .net SQLProvider system on your server . This can be found here, with additional set-up instructions in my previous post.

Once you have that set-up then you will need to run the additional SQL against the database found in the DBSetup folder of the project (this will add two new stored procedures to the standard SQLProvider database – you may need to alter the SQL permissions on these two stored procs to make them run in your environment).

After you have done that then you will need to alter the web.config of the project so that is matches your environment. You will need to adjust the connections string for the SQLRoleManagerConnection and some appsetting keys:

ADUser – this is the Domain\userid of the id used to query the Active directory when searching for users and groups

ADPasswd – this is the password of the ADUser

ADBrowsableDomains – this is a comma seperated list of all of the available domains in your environment.

DBRolesEdit – true or false to determine if the Access control Roles are editable. If you are implementing a system that uses static roles for access with a web.config setup like. Then set this to false. Otherwise set it to true to allow uses to update it.

ACLAdminRole – this is the Application Role that can edit the Access Control of the system. If the user ( or one of the users AD membership groups , if the user isn’t explicity listed ) is in this role then they can edit the ACL via the ACL.apsx page.

You will need to make sure that you have at least run the SQL statements

EXEC aspnet_Roles_CreateRole 'SQLProviderTest', '[ACLAdminRole]'
EXEC aspnet_UsersInRoles_AddUsersToRoles 'SQLProviderTest', ' YourDomain\YourId', '[ACLAdminRole]', 8

Once you have added yourself to the role that can edit the ACL (the value of the ACLAdminRole web.config key ) then you will be able to update the ACL.aspx page. You can then go to the default.aspx page and see which roles you are in.

For a better user experience I would suggest wrapping the content of the ACL.aspx page in a AJAX panel. I have purposely not done this because they are a variety of AJAX implemetations around, so this is up to you.

Happy Coding.

Labels: , ,


Post a Comment

Links to this post:

Create a Link

<< Home