|
| Getting a list of roles |
|
|
|
|
| Messages |
|
Related Types |
This message was discovered on microsoft.public.dotnet.framework.aspnet.security.
Responses highlighted in red are from those people who are likely to be able to contribute good, authoratitive information to this discussion. They include Microsoft employees, MVP's and others who IMHO contribute well to these kinds of discussions.
| ECUnited |
This may have been answered in a previous post, and if so, please excuse my redundancy. I am using Windows authentication and I know about the IsInRole check, but I need to obtain a list of roles that each user is in. How is the most simple way to do that? What I need to do is to evaluate each user's role(s) against a role assigned to a record in SQL Server, in order to display or not display an item in a web page. Any help would be greatly appreciated.
|
|
|
| |
|
| |
| |
| jzhu |
This can be obtained from the token already built by Windows for the current user, by using a Win32 API (i.e., GetTokenInformation). I posted an answer to a similar question earlier:
One option is to use DataMarvel's wrapper for Win32 APIs:
http://www.DataMarvel.com
Using its NAccessToken wrapper with your current "WindowsIdentity.Token", you can call "Groups" property that returns an array of all the groups and its attributes, or simply call "UserGroups" that returns an array of the "regular" groups in the form of "domain\group" format ("regular" means it ignores the "Logon SID" and all the restrictive groups). Its try version has a sample solution that shows how to call them.
|
|
|
| |
|
| |
| |
| David Coe, MCP |
Why would you make an unmanaged Win32 API call when you can use the managed System.DirectoryServices, as Joe suggests?
|
|
|
| |
|
|
| |
| |
| jzhu |
Because the group information is already built for the user in the token, so the API call should have almost no cost.
Making DirectoryService call is much more expensive (going across the wire to a domain controller), and you can only get groups that the user is a direct member (so if a user is a member of A and A is a subgroup of B, then B will not show up in the groups). The situation is made easier in Win2003 though.
|
|
|
| |
|
| |
| |
| Joe Kaplan \(MVP - ADSI\) (VIP) |
It seems to me that this is a little misleading since the token contains the
SIDs, but unless LSASS.exe has cached the names of the groups for those
SIDs, a network call will be involved to do the resolution.
There are some other advantages to using the DirectoryServices call in that
LookupAccountName requires the current security context to be a domain
account that can resolve the SID, whereas S.DS allows you to supply
credentials for the operation. However, that might not be applicable in
this situation.
In any event, that's the main reason why I presented options as options are
good :)
Joe K.
"jzhu" <Click here to reveal e-mail address> wrote in message
news:Click here to reveal e-mail address...
> Because the group information is already built for the user in the token,
so the API call should have almost no cost.
[Original message clipped]
direct member (so if a user is a member of A and A is a subgroup of B, then
B will not show up in the groups). The situation is made easier in Win2003
though.
|
|
|
| |
|
|
| |
| |
| jzhu |
Thanks for pointing out the cost of translating SIDs to their names. I never thought of that before.
----- Joe Kaplan (MVP - ADSI) wrote: -----
It seems to me that this is a little misleading since the token contains the
SIDs, but unless LSASS.exe has cached the names of the groups for those
SIDs, a network call will be involved to do the resolution.
|
|
|
| |
|
|
| |
|
|
|
|
|
| |
| Joe Kaplan \(MVP - ADSI\) (VIP) |
There is a hack you can do using reflection on the priate _GetRoles() method
on WindowsIdentity to get the array of strings containing the actual Windows
groups name that IsInRole uses under the hood. However, that would be a bad
idea to use in production as reflecting on private members is not a good
idea and may leave you stranded on a future version of the framework.
You could also try to look up the groups using System.DirectoryServices and
expanding a user's tokenGroups AD attribute to get their group membership,
but this tricky and will miss some of the other SIDs that Windows adds to
the token such as Authenticated Users and such.
Another idea would be to just loop through your roles in SQL and call
IsInRole on each one so get a mapping. That is probably the easiest way to
go. Also, you could potentially do that only once and cache the results if
that is an expensive operation.
HTH,
Joe K.
"ECUnited" <Click here to reveal e-mail address> wrote in message
news:Click here to reveal e-mail address...
> This may have been answered in a previous post, and if so, please excuse
my redundancy. I am using Windows authentication and I know about the
IsInRole check, but I need to obtain a list of roles that each user is in.
How is the most simple way to do that? What I need to do is to evaluate
each user's role(s) against a role assigned to a record in SQL Server, in
order to display or not display an item in a web page. Any help would be
greatly appreciated.
[Original message clipped]
|
|
|
| |
|
|
| |
|
|
|
|
|
|
|
|
BootFX
Reliable and powerful .NET application framework. |
|
|
|
|
|
|
