Vista - HowTo programmatically define roles and users ...

permalink · 03-25-2008

In work on a large Intranet application using WCF. Clients can impersonate
via a login form and should get access to objects on the WCF host via roles
checked programmatically on the host.
The WCF host is a Windows Service.

The assignment user - role, as well as creating/deleting users and
creating/deleting roles must be fully dynamic and changes on an hourly basis.

Think of it like a game:
- The admin defines, which boxes are on the table: red, blue, .... in the
current run
- the admin defines, who is allowed to run which box
- each player chooses one or more boxes, obtaining the list of boxes set up
for him by the admin
- several players can choose the same box.

Is there a managed .NET class to create/delete/... Windows roles, users and
their membership?

Or is it better to create my own security framework?

Or can the ASP.NET role provider be tweaked to work in this case?

Thank you very much. Herbert

permalink · 03-25-2008

The only thing a WCF service adds is a boundary. You are, in essence,
creating a authentication service. Therefore, you should forget about this.
It is a learning curve and a bit of complexity, but if you forget the
technology, you can examine the issue at hand from a flat perspective and
examine the actual problem domain.

Now, if this was flat, could you use Membership and Roles? Out of the box?
Probably not. Through a custom provider? Possibly. Examine custom providers
and see if you can solve the issue. If not, you need your own security
method. I would guess, however, that you can use this method.

But, another possiblity, that migth fit you Intranet scenario better, is to
work with Kerebos or some other Windows method. Since you are marshalling
this from a service, you will end up writing some custom code. This is more
difficult to do, but more secure.

Easier? I would aim for a custom provider first and use this service.

Even easier. Instead of using a service, create a authentication library and
include in your various projects. Not as centralized, but still a separation
of concerns.

All have their trade offs. If you want more code written, the ASP.NET
membership and role providers are the easiest and fairly full featured. If
you put too much separation between layers, it can be a royal pain in the
butt.

--
Gregory A. Beamer
MVP, MCP: +I, SE, SD, DBA

Subscribe to my blog
http://gregorybeamer.spaces.live.com/lists/feed.rss

or just read it:
http://gregorybeamer.spaces.live.com/

*************************************************
| Think outside the box!
|
*************************************************
"herbert" <herbert@xxxxxx> wrote in message
news

9F1F563-9333-47E4-ADCD-4FB97CAB5DAB@xxxxxx

Quote:

> In work on a large Intranet application using WCF. Clients can impersonate
> via a login form and should get access to objects on the WCF host via
> roles
> checked programmatically on the host.
> The WCF host is a Windows Service.
>
> The assignment user - role, as well as creating/deleting users and
> creating/deleting roles must be fully dynamic and changes on an hourly
> basis.
>
> Think of it like a game:
> - The admin defines, which boxes are on the table: red, blue, .... in the
> current run
> - the admin defines, who is allowed to run which box
> - each player chooses one or more boxes, obtaining the list of boxes set
> up
> for him by the admin
> - several players can choose the same box.
>
> Is there a managed .NET class to create/delete/... Windows roles, users
> and
> their membership?
>
> Or is it better to create my own security framework?
>
> Or can the ASP.NET role provider be tweaked to work in this case?
>
> Thank you very much. Herbert

03-25-2008	#1 (permalink)
herbert n/a posts	HowTo programmatically define roles and users ... In work on a large Intranet application using WCF. Clients can impersonate via a login form and should get access to objects on the WCF host via roles checked programmatically on the host. The WCF host is a Windows Service. The assignment user - role, as well as creating/deleting users and creating/deleting roles must be fully dynamic and changes on an hourly basis. Think of it like a game: - The admin defines, which boxes are on the table: red, blue, .... in the current run - the admin defines, who is allowed to run which box - each player chooses one or more boxes, obtaining the list of boxes set up for him by the admin - several players can choose the same box. Is there a managed .NET class to create/delete/... Windows roles, users and their membership? Or is it better to create my own security framework? Or can the ASP.NET role provider be tweaked to work in this case? Thank you very much. Herbert
My System Specs

03-25-2008	#2 (permalink)
Cowboy \(Gregory A. Beamer\) n/a posts	Re: HowTo programmatically define roles and users ... The only thing a WCF service adds is a boundary. You are, in essence, creating a authentication service. Therefore, you should forget about this. It is a learning curve and a bit of complexity, but if you forget the technology, you can examine the issue at hand from a flat perspective and examine the actual problem domain. Now, if this was flat, could you use Membership and Roles? Out of the box? Probably not. Through a custom provider? Possibly. Examine custom providers and see if you can solve the issue. If not, you need your own security method. I would guess, however, that you can use this method. But, another possiblity, that migth fit you Intranet scenario better, is to work with Kerebos or some other Windows method. Since you are marshalling this from a service, you will end up writing some custom code. This is more difficult to do, but more secure. Easier? I would aim for a custom provider first and use this service. Even easier. Instead of using a service, create a authentication library and include in your various projects. Not as centralized, but still a separation of concerns. All have their trade offs. If you want more code written, the ASP.NET membership and role providers are the easiest and fairly full featured. If you put too much separation between layers, it can be a royal pain in the butt. -- Gregory A. Beamer MVP, MCP: +I, SE, SD, DBA Subscribe to my blog http://gregorybeamer.spaces.live.com/lists/feed.rss or just read it: http://gregorybeamer.spaces.live.com/ *********************************************** \| Think outside the box! \| *********************************************** "herbert" <herbert@xxxxxx> wrote in message news9F1F563-9333-47E4-ADCD-4FB97CAB5DAB@xxxxxx Quote: > In work on a large Intranet application using WCF. Clients can impersonate > via a login form and should get access to objects on the WCF host via > roles > checked programmatically on the host. > The WCF host is a Windows Service. > > The assignment user - role, as well as creating/deleting users and > creating/deleting roles must be fully dynamic and changes on an hourly > basis. > > Think of it like a game: > - The admin defines, which boxes are on the table: red, blue, .... in the > current run > - the admin defines, who is allowed to run which box > - each player chooses one or more boxes, obtaining the list of boxes set > up > for him by the admin > - several players can choose the same box. > > Is there a managed .NET class to create/delete/... Windows roles, users > and > their membership? > > Or is it better to create my own security framework? > > Or can the ASP.NET role provider be tweaked to work in this case? > > Thank you very much. Herbert
My System Specs

Similar Threads
Thread	Forum
How to programmatically modify the users full control	Vista security
Full Control to Users programmatically	Vista account administration
Full Control to Users programmatically	Vista General
Full Control to Users programmatically	Vista networking & sharing
HowTo programmatically detect if UAC is enabled or disabled?	Vista security