Can some one help me.
I'm trying to build framework in .net which uses role based security.

I want to be able to defined the roles in the web config e.g
Manager, PowerUser, Guest, AnonUser

I want to be able to map NT application groups to those roles in the
web config so that in my code I can say

If Iam.Inrole("Manager") then
rather than
If Iam.Inrole("DomainName\AG_ManagersForthisApplicait on")

the first is much simpler to use and more intuitive. I'd like to be
able to allocate the NT domain groups in the web config against the
role so that they can be changed without a recompile.

I'd also like to use this method so that if anonymous users conect
through a fire wall I can assign them a least priveldge NT identity
which I can then give the AnonUser role to.

In this way I can authorize the same way throughout the entire
application
e.g.

If Iam.Inrole("manager") then
dosomehting()
elseif Iam.Inrole("AnonUser") then
dosomethingelse()

Can any one tell me where I can find some information on how to do
this. It's seems very simple but can't find any examples of it being
used anywhere

Erick

You can create local Windows Groups, e.g. Manager and map the domain application
groups to that local group. This way you wouldn't have to specifiy the domain
in IsInRole - if the group is local you can omit the MACHINE\ part in the
name.


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

You can create local Windows Groups, e.g. Manager and map the domain application
groups to that local group. This way you wouldn't have to specifiy the domain
in IsInRole - if the group is local you can omit the MACHINE\ part in the
name.


-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)

You can also write your own "mapper" that would generate an IPrincipal
object based on the current authenticated user's WindowsPrincipal and map
that user's groups to app-specific roles. Writing something like that would
not be too hard. A framework like AzMan already does something like that
for you, although it is more sophisticated. It is probably the right thing
to look at here though.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Dominick Baier" <dbaier (AT) pleasepleasenospam_leastprivilege (DOT) com> wrote in
message news:8e6a913a154718c9b6934ea41810 (AT) news (DOT) microsoft.com...

You can also write your own "mapper" that would generate an IPrincipal
object based on the current authenticated user's WindowsPrincipal and map
that user's groups to app-specific roles. Writing something like that would
not be too hard. A framework like AzMan already does something like that
for you, although it is more sophisticated. It is probably the right thing
to look at here though.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Dominick Baier" <dbaier (AT) pleasepleasenospam_leastprivilege (DOT) com> wrote in
message news:8e6a913a154718c9b6934ea41810 (AT) news (DOT) microsoft.com...