I need to integrate my application into Active Directory. My application
has the concept of groups, users, and also individual permissions. Users
can be part of a group such as administrators, but explicit permissions may
also be set.
Can active directory handle this too?
For example: Administrators can typically add/remove/edit/delete an item,
but one junior administrator may have delete disabled.
Can active directory handle this? How does one go about loading this
application permissions into AD? What's the best way to integrate into AD?
I know I can use the basic IsInRole check, but would this neccessitate lots
of roles (one for each explicit permission)?
Any tutorials providing a comprehensive overview of Active Directory would
be great.
Thanks!
--
spamho...@rogers.com (Do not e-mail)
It is up to your program to decide what kind of permissions to give to
a user once active directory has told your program who your user is.
Typically, this is done through a linked list implemented by your
program. You can see examples of this in SQL Server (you specify
active directory users in the security Logins and Roles lists, and
then assign specific access rights to each listed user in these lists)
and in sharepoint (you specify active directory users through
sharepoint screens and then indicate whether they are readers,
contributors, etc). In both cases, permissions are stored and granted
by each application and not active directory.
You can use the AD to be used as a centralized policy store that holds
authorization policy for one or more applications.
Start here:
http://msdn2.microsoft.com/en-us/library/aa480244.aspx
to get an idea how you can use Authorization Manager as an high-end
authorization solution for .NET and native COM based applications.
Willy.
> You can use the AD to be used as a centralized policy store that holds
> authorization policy for one or more applications.
> Start here:
> http://msdn2.microsoft.com/en-us/library/aa480244.aspx
> to get an idea how you can use Authorization Manager as an high-end
> authorization solution for .NET and native COM based applications.
Thanks - I'll take a look at AzMan.
Do you have any experience with AzMan? Is it suitable for use in
redistributable applications? What I means is are the policies easily
packaged for deployment?
Also is the API for AzMan easy to use?
> Also is the API for AzMan easy to use?
>
Please define "easy".
All AzMan's functionality is exposed as a set of COM interfaces.
You can use these from scripting clients like VBScript and JScrip as well as
from higher level languages like VB6, C#, VB.NET, C++ etc..
The exposed interfaces can be used for both "administration" and
"programming". That means that there is a set for administration, while an
other set is meant for "application development".
Note that AzMan is only available on W2K and XP (as redistributable) and
W2K3 and higher (as part of the OS), note also that Vista and higher include
some additional functionality.
Willy.