Security script based on Global Group?

Question

I'm not sure if this is possible, but I'd like to limit my users to specific areas of an Intranet site based on their membership in specific Global Groups created in SQL Server.

For example, I've got the following menu in ASP:

    <div class="clear hideSkiplink" id="MainMenu">

        <asp:Menu ID="NavigationMenu" runat="server" CssClass="menu" 
            IncludeStyleBlock="False" Orientation="Horizontal" 
            BackColor="#CC3300">

            <Items> 
                <asp:MenuItem  NavigateUrl="~/Default.aspx" Text="Home" Selectable="true" />
                    <asp:MenuItem NavigateUrl="~/Forms/frmCensusList.aspx" Text="Census Editing"/>
                    <asp:MenuItem NavigateUrl="~/Forms/frmRoster.aspx" Text="Roster Editing"/>
                    <asp:MenuItem NavigateUrl="~/Forms/frmReportMenu.aspx" Text="Reporting"/>
                    <asp:MenuItem NavigateUrl="~/About.aspx" Text="About"/>
                   <%-- <asp:MenuItem NavigateUrl="~/WebForm1.aspx" Text="Test"/>--%>
            </Items>

        </asp:Menu>
    </div> 

And then the following in the Code Behind that limits what "security level" can see the "About" page:

protected void Page_Load(object sender, EventArgs e)
{
    string path = Request.AppRelativeCurrentExecutionFilePath;
    foreach (MenuItem item in NavigationMenu.Items)
    {
        item.Selected = item.NavigateUrl.Equals(path, StringComparison.InvariantCultureIgnoreCase);
    }

    // If the user isn't an Admin, hide the About menu option
    string ActiveUser = System.Web.HttpContext.Current.User.Identity.Name;
    string SecurityLevel = ActiveUser.SecLevel();
    if (SecurityLevel != "ADMIN")
    {
        MenuItem mnuItem = NavigationMenu.FindItem("About"); // Find particular item
        if (mnuItem != null)
        {
            NavigationMenu.Items.Remove(mnuItem);
        }
    }

}

SecLevel() is a function I created that's based on a table of user's IDs, but maintaining the table is a pain, plus future projects are going to be a pain to compile the original table, and it will just be easier if I can do this based on existing Global Groups.

Anyone got any suggestions?

Answer 1

Your Global Groups are probably just Active Directory Security groups. You can do this with not too much difficulty by using the builtin ASP.NET Role Provider, web.config entries to control which groups/roles can see which menu items, and binding your menu control to use a web.sitemap file. All of this combined with securityTrimmingEnabled. will ensure your menu options are shown to to users in the groups you have defined. If these are not AD groups, you can still do this but would have to create a Custom Role Provider which could check against your SQL Server groups or simply use the table you have already created.

Your web.config location entries will end up looking something like this based on the example you provided, with entries for each of the pages you want to allow the user to see:

  <configuration>
   <location path="~/About.aspx">
      <system.web>
         <authorization>
            <allow roles="ADMIN"/>
            <deny users="*"/>
         </authorization>
      </system.web>
   </location>
   <location path="~/Forms/frmCensusList.aspx">
      <system.web>
         <authorization>
            <allow roles="CENSUS,ADMIN,ETC"/>
            <deny users="*"/>
         </authorization>
      </system.web>
   </location>
  <location path="~/Forms/frmRoster.aspx">
      <system.web>
         <authorization>
            <allow roles="ADMIN,ROSTER"/>
            <deny users="*"/>
         </authorization>
      </system.web>
   </location>
   ...

</configuration>


 <system.web>
  <siteMap defaultProvider="XmlSiteMapProvider" enabled="true">
    <providers>
      <add name="XmlSiteMapProvider"
        description="Default SiteMap provider."
        type="System.Web.XmlSiteMapProvider "
        siteMapFile="Web.sitemap"
        securityTrimmingEnabled="true" />
    </providers>
  </siteMap>
</system.web>

Sample web.sitemap:

<?xml version="1.0" encoding="utf-8" ?>
<siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0" >
  <siteMapNode url="~/forms/frmCensusList.aspx" title="Census" description="" roles="ADMIN,CENSUS">
  <siteMapNode url="~/forms/frmRoster.aspx" title="Roster Editing" description="" roles="ADMIN,ROSTER">
  <siteMapNode url="~/forms/frmReportMenu.aspx" title="Reporting" description="" roles="ADMIN,REPORTS">
...
  <siteMapNode url="~/About.aspx" title="About" description="" roles="ADMIN">
</siteMap>

See this SO article for more information

Answer 2

1.Create a MainMasterPage and a UserMasterPage and a AdminMasterPage.
2.UserMasterPage and AdminMasterPage use from MainMasterPage.
3.Input the menu in MainMasterPage.
4.In login page if user and password is valid:

Session["ActiveUser"] = txtUsername.Text;
Session["SecurityLevel"] = //get role to ActiveUser from database and set to this session.

5.in UserMasterPage Page_Load:

if(Session["SecurityLevel"]==null)
    {
        Response.Redirect("~/login.aspx");//go to login page
    }
    else
    {
        if(Session["SecurityLevel"].ToString()!="User")
        {
             Response.Redirect("~/login.aspx");//go to login page
        }
    }

6.in AdminMasterPage Page_Load:

if (Session["SecurityLevel"] == null)
    {
        Response.Redirect("~/login.aspx");//go to login page
    }
    else
    {
        if (Session["SecurityLevel"].ToString() != "ADMIN")
        {
            Response.Redirect("~/login.aspx");//go to login page
        }
    }

7.Then admin pages use from AdminMasterPage and user pages use from UserMasterPage.

Answer 3

I think you can do this by role managing way , If you do this way , you can easily do it ,for

if (!System.Web.HttpContext.Current.User.IsInRole("ADMIN"))
    {
        MenuItem mnuItem = NavigationMenu.FindItem("About"); // Find particular item
        if (mnuItem != null)
        {
            NavigationMenu.Items.Remove(mnuItem);
        }
    }