In my asp.net mvc app i am using the activedirectorymembershipprovider. In the active directory i have created a couple of roles (groups) similar to, for simplicity of this example, "normal" and "administrator".
在我的asp.net mvc应用程序中,我正在使用activedirectorymembershipprovider。在活动目录中,我创建了几个类似的角色(组),为了简化本例,“普通”和“管理员”。
I am currently querying whether user is in role by getting the IPrincipal of the httpcontext and calling User.IsInRole(nameOfRoleGoesHere);.
我目前通过获取httpcontext的IPrincipal并调用User.IsInRole(nameOfRoleGoesHere);来查询用户是否在角色中。
The behaviour im looking for is for me to be able to ask whether user is in role "administrator" and then implicitly be asking whether user is in all roles below that (in this case role "normal" would be below "administrator"). As my roles are mainly vertical (if that makes any sense) this kind of role-inheritance seems to make sense for my application at the moment.
我正在寻找的行为是让我能够询问用户是否处于角色“管理员”,然后隐含地询问用户是否处于以下所有角色(在这种情况下,角色“正常”将低于“管理员”)。由于我的角色主要是垂直的(如果这有任何意义),这种角色继承似乎对我的应用程序有意义。
How can i get this behavior - must i implement some custom logic allowing me to ask for role "administrator", but abstracting away actually asking for both "normal" and "administrator" in the active directory behind the scenes - or is it possible to structure groups in active directory somehow giving me this behaviour automatically?
我怎么能得到这种行为 - 我必须实现一些自定义逻辑,允许我要求角色“管理员”,但抽象实际上在幕后的活动目录中要求“正常”和“管理员” - 或者是否可以活动目录中的结构组以某种方式自动给我这个行为?
Apologies for any gross misunderstandings of asp.net, active directory and .net security on my part - i am rookie and experimenting.
对于我对asp.net,活动目录和.net安全的任何严重误解表示歉意 - 我是菜鸟和实验。
2 个解决方案
#1
3
AD supports the concept of a group being a member of another group?
AD支持组成为另一组成员的概念?
So you could have the following:
所以你可以拥有以下内容:
Users: Anne, Bob, Charlie, Douglas, Elliot, Fred and George.
用户:安妮,鲍勃,查理,道格拉斯,艾略特,弗雷德和乔治。
Roles: Normal, Editor, Admin
角色:普通,编辑,管理员
Then in the define each group as:
然后在定义每个组为:
Admin has the following members: George
管理员有以下成员:乔治
Editor has the following members: "Admin", Douglas, Elliot
编辑有以下成员:“管理员”,道格拉斯,艾略特
Normal has the following members: "Editor", "Admin", Anne, Bob, Charlie
普通有以下成员:“编辑”,“管理员”,安妮,鲍勃,查理
Therefore, you know that George is a member of Normal, Editor and Admin, because all members of Admin are included in those groups, while Douglas is only a member of Editor and Normal, and Anne is just a Normal user, and AD would say "yes, George is a Normal user" if you asked it.
因此,您知道George是Normal,Editor和Admin的成员,因为Admin的所有成员都包含在这些组中,而Douglas只是Editor和Normal的成员,而Anne只是普通用户,AD会说“是的,乔治是普通用户”,如果你问的话。
HOWEVER: There isn't (as far as I know) an offical, MS supported ActiveDirectory RoleProvider that would populate the RolesPrinciple with the correct AD roles - there are a couple out there like this one on CodePlex what have you defined as your role provider?
但是:据我所知,没有(据我所知)官方MS支持的ActiveDirectory RoleProvider将使用正确的AD角色填充RolesPrinciple--在CodePlex上有一些像你这样的角色提供者你定义为你的角色提供者?
The default ASP.NET role provider doesn't support role hierarchies, so you would either need to either:
默认的ASP.NET角色提供程序不支持角色层次结构,因此您可能需要:
- Put the user in each role they have access to, and only check for the role you're interested in.
- Put the user in the most powerful role they can access, and then check for every role that should have access.
- Write/find a role provider that supports hierarchies - simiply by returning true if the user is in a higher order role.
将用户置于他们有权访问的每个角色中,并仅检查您感兴趣的角色。
将用户置于他们可以访问的最强大角色,然后检查应该具有访问权限的每个角色。
编写/查找支持层次结构的角色提供程序 - 如果用户处于更高级别的角色,则返回true。
#2
1
Active Directory really doesn't have a concept of a hierarchy in terms of membership. A user is member of one, several, many groups - but just that. He's member of the "Admin" group - yes or no. He might also be member of GRoup A, Gropu B, Group F and Group M - but there's no real "role hierarchy" as you're looking for.
Active Directory在成员资格方面确实没有层次结构的概念。用户是一个,几个,多个组的成员 - 但就是这样。他是“管理员”小组的成员 - 是或否。他也可能是GRoup A,Gropu B,F组和M组的成员 - 但是你找不到真正的“角色等级”。
I guess, in a way, having the ability to just combine any number of group memberships is probably even more flexible and reliable than having a hierarchy, in my opinion.
我认为,在某种程度上,在我看来,能够组合任意数量的群组成员资格可能比拥有层次结构更加灵活和可靠。
Marc
#1
3
AD supports the concept of a group being a member of another group?
AD支持组成为另一组成员的概念?
So you could have the following:
所以你可以拥有以下内容:
Users: Anne, Bob, Charlie, Douglas, Elliot, Fred and George.
用户:安妮,鲍勃,查理,道格拉斯,艾略特,弗雷德和乔治。
Roles: Normal, Editor, Admin
角色:普通,编辑,管理员
Then in the define each group as:
然后在定义每个组为:
Admin has the following members: George
管理员有以下成员:乔治
Editor has the following members: "Admin", Douglas, Elliot
编辑有以下成员:“管理员”,道格拉斯,艾略特
Normal has the following members: "Editor", "Admin", Anne, Bob, Charlie
普通有以下成员:“编辑”,“管理员”,安妮,鲍勃,查理
Therefore, you know that George is a member of Normal, Editor and Admin, because all members of Admin are included in those groups, while Douglas is only a member of Editor and Normal, and Anne is just a Normal user, and AD would say "yes, George is a Normal user" if you asked it.
因此,您知道George是Normal,Editor和Admin的成员,因为Admin的所有成员都包含在这些组中,而Douglas只是Editor和Normal的成员,而Anne只是普通用户,AD会说“是的,乔治是普通用户”,如果你问的话。
HOWEVER: There isn't (as far as I know) an offical, MS supported ActiveDirectory RoleProvider that would populate the RolesPrinciple with the correct AD roles - there are a couple out there like this one on CodePlex what have you defined as your role provider?
但是:据我所知,没有(据我所知)官方MS支持的ActiveDirectory RoleProvider将使用正确的AD角色填充RolesPrinciple--在CodePlex上有一些像你这样的角色提供者你定义为你的角色提供者?
The default ASP.NET role provider doesn't support role hierarchies, so you would either need to either:
默认的ASP.NET角色提供程序不支持角色层次结构,因此您可能需要:
- Put the user in each role they have access to, and only check for the role you're interested in.
- Put the user in the most powerful role they can access, and then check for every role that should have access.
- Write/find a role provider that supports hierarchies - simiply by returning true if the user is in a higher order role.
将用户置于他们有权访问的每个角色中,并仅检查您感兴趣的角色。
将用户置于他们可以访问的最强大角色,然后检查应该具有访问权限的每个角色。
编写/查找支持层次结构的角色提供程序 - 如果用户处于更高级别的角色,则返回true。
#2
1
Active Directory really doesn't have a concept of a hierarchy in terms of membership. A user is member of one, several, many groups - but just that. He's member of the "Admin" group - yes or no. He might also be member of GRoup A, Gropu B, Group F and Group M - but there's no real "role hierarchy" as you're looking for.
Active Directory在成员资格方面确实没有层次结构的概念。用户是一个,几个,多个组的成员 - 但就是这样。他是“管理员”小组的成员 - 是或否。他也可能是GRoup A,Gropu B,F组和M组的成员 - 但是你找不到真正的“角色等级”。
I guess, in a way, having the ability to just combine any number of group memberships is probably even more flexible and reliable than having a hierarchy, in my opinion.
我认为,在某种程度上,在我看来,能够组合任意数量的群组成员资格可能比拥有层次结构更加灵活和可靠。
Marc