Jump to content
  • Advertisement
Sign in to follow this  
Maega

[web] ADSI and ASP

This topic is 4810 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

Hello, I have been researching using ADSI and ASP. The project I'm working on requires me to allow users only to do what they can do based on their group rights. For example, an administrator would be able to add someone to any group, whereas the french administrator would only be able to add someone to the french group. It has to be done this way so a user can't elevate their priviledges. I need a starting point. Can anyone help?

Share this post


Link to post
Share on other sites
Advertisement
I have not used ADSI itself, but we needed to implement a similar sort of security on our system. It's pretty simple to do yourself, really. Each "usergroup" entry on the database table we use for secturity has a list of fields with a 0 in for "denied" or a 1 for "allowed", as well as a priority number (just an integer, 1 being lowest (normal users)). All we need to make sure is that users can only change another user's level (if they can at all) up to their own level, and that the admin panel for ordering the "power levels" is only accessible by the topmost level. It's simple, and works pretty well.

That said, if you're tying into an existing ADSI system, this is pretty useless.

Share this post


Link to post
Share on other sites
Quote:
Original post by benryves
I have not used ADSI itself, but we needed to implement a similar sort of security on our system. It's pretty simple to do yourself, really. Each "usergroup" entry on the database table we use for secturity has a list of fields with a 0 in for "denied" or a 1 for "allowed", as well as a priority number (just an integer, 1 being lowest (normal users)). All we need to make sure is that users can only change another user's level (if they can at all) up to their own level, and that the admin panel for ordering the "power levels" is only accessible by the topmost level. It's simple, and works pretty well.

That said, if you're tying into an existing ADSI system, this is pretty useless.


Unfortunately, yes. Our Microsoft network already has an Active Directory system. I must tie into it.

Share this post


Link to post
Share on other sites
ADSI, is the interface used for scripting Active Directory itself.

Unless you want to script Active Directory, you really don't want to use ADSI.

Let me make this clear - web applications with membership, authentication and authorisation features, DO NOT NEED to use ADSI, and normally SHOULD NOT use ADSI. They can have their own security system implemented at the application level (if done correctly), should be plenty secure.

Plus also, the last thing you want is to give out *any* NT permissions to your web users. Trust me.

Mark

Share this post


Link to post
Share on other sites
Quote:
Original post by markr
ADSI, is the interface used for scripting Active Directory itself.

Unless you want to script Active Directory, you really don't want to use ADSI.

Let me make this clear - web applications with membership, authentication and authorisation features, DO NOT NEED to use ADSI, and normally SHOULD NOT use ADSI. They can have their own security system implemented at the application level (if done correctly), should be plenty secure.

Plus also, the last thing you want is to give out *any* NT permissions to your web users. Trust me.

Mark


Would you please give me a short example of what you mean? I don't need a full application of course.

Share this post


Link to post
Share on other sites
If you want to use NT integrated security for your web app, bear in mind that you don't need to use NT security for *authorisation*, only *authentication*.

You can still store the user IDs in the database and create your own groups.

If you don't need to use NT integrated security, you can create your own username / password system in your database, and have everything run independent of NT security and/or Active Directory. This is certainly the approach used by most web applications running on a Windows server - for example, I'm sure that gamedev.net does not store all our accounts in Active Directory.

Mark

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

We are the game development community.

Whether you are an indie, hobbyist, AAA developer, or just trying to learn, GameDev.net is the place for you to learn, share, and connect with the games industry. Learn more About Us or sign up!

Sign me up!