How can i implement a role-hierarchy in an asp.net mvc app using activedirectorymembershipprovider

Question

In my asp.net mvc app i am using the activedirectorymembershipprovider. In the active directory i have created a couple of roles (groups) similar to, for simplicity of this example, "normal" and "administrator".

I am currently querying whether user is in role by getting the IPrincipal of the httpcontext and calling User.IsInRole(nameOfRoleGoesHere);.

The behaviour im looking for is for me to be able to ask whether user is in role "administrator" and then implicitly be asking whether user is in all roles below that (in this case role "normal" would be below "administrator"). As my roles are mainly vertical (if that makes any sense) this kind of role-inheritance seems to make sense for my application at the moment.

How can i get this behavior - must i implement some custom logic allowing me to ask for role "administrator", but abstracting away actually asking for both "normal" and "administrator" in the active directory behind the scenes - or is it possible to structure groups in active directory somehow giving me this behaviour automatically?

Apologies for any gross misunderstandings of asp.net, active directory and .net security on my part - i am rookie and experimenting.

Answer 1

AD supports the concept of a group being a member of another group?

So you could have the following:

Users: Anne, Bob, Charlie, Douglas, Elliot, Fred and George.

Roles: Normal, Editor, Admin

Then in the define each group as:

Admin has the following members: George

Editor has the following members: "Admin", Douglas, Elliot

Normal has the following members: "Editor", "Admin", Anne, Bob, Charlie

Therefore, you know that George is a member of Normal, Editor and Admin, because all members of Admin are included in those groups, while Douglas is only a member of Editor and Normal, and Anne is just a Normal user, and AD would say "yes, George is a Normal user" if you asked it.

HOWEVER: There isn't (as far as I know) an offical, MS supported ActiveDirectory RoleProvider that would populate the RolesPrinciple with the correct AD roles - there are a couple out there like this one on CodePlex what have you defined as your role provider?

The default ASP.NET role provider doesn't support role hierarchies, so you would either need to either:

1. Put the user in each role they have access to, and only check for the role you're interested in.
2. Put the user in the most powerful role they can access, and then check for every role that should have access.
3. Write/find a role provider that supports hierarchies - simiply by returning true if the user is in a higher order role.

Answer 2

Active Directory really doesn't have a concept of a hierarchy in terms of membership. A user is member of one, several, many groups - but just that. He's member of the "Admin" group - yes or no. He might also be member of GRoup A, Gropu B, Group F and Group M - but there's no real "role hierarchy" as you're looking for.

I guess, in a way, having the ability to just combine any number of group memberships is probably even more flexible and reliable than having a hierarchy, in my opinion.

Marc