In my asp.net mvc app i am using the activedirectorymembershipprovider. In the active directory i have created a couple of roles (groups) similar to, for simplicity of this example, "normal" and "administrator".
I am currently querying whether user is in role by getting the IPrincipal of the httpcontext and calling User.IsInRole(nameOfRoleGoesHere);.
The behaviour im looking for is for me to be able to ask whether user is in role "administrator" and then implicitly be asking whether user is in all roles below that (in this case role "normal" would be below "administrator"). As my roles are mainly vertical (if that makes any sense) this kind of role-inheritance seems to make sense for my application at the moment.
How can i get this behavior - must i implement some custom logic allowing me to ask for role "administrator", but abstracting away actually asking for both "normal" and "administrator" in the active directory behind the scenes - or is it possible to structure groups in active directory somehow giving me this behaviour automatically?
Apologies for any gross misunderstandings of asp.net, active directory and .net security on my part - i am rookie and experimenting.
AD supports the concept of a group being a member of another group?
So you could have the following:
Users: Anne, Bob, Charlie, Douglas, Elliot, Fred and George.
Roles: Normal, Editor, Admin
Then in the define each group as:
Admin has the following members: George
Editor has the following members: "Admin", Douglas, Elliot
Normal has the following members: "Editor", "Admin", Anne, Bob, Charlie
Therefore, you know that George is a member of Normal, Editor and Admin, because all members of Admin are included in those groups, while Douglas is only a member of Editor and Normal, and Anne is just a Normal user, and AD would say "yes, George is a Normal user" if you asked it.
HOWEVER: There isn't (as far as I know) an offical, MS supported ActiveDirectory RoleProvider that would populate the RolesPrinciple with the correct AD roles - there are a couple out there like this one on CodePlex what have you defined as your role provider?
The default ASP.NET role provider doesn't support role hierarchies, so you would either need to either:
Active Directory really doesn't have a concept of a hierarchy in terms of membership. A user is member of one, several, many groups - but just that. He's member of the "Admin" group - yes or no. He might also be member of GRoup A, Gropu B, Group F and Group M - but there's no real "role hierarchy" as you're looking for.
I guess, in a way, having the ability to just combine any number of group memberships is probably even more flexible and reliable than having a hierarchy, in my opinion.
Marc
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With