Re: Authorization based on roles or directory access?

And I have one other suggestion.

Your authorization sections in the web.config file can specify a script
as well as a subdirectory.

<location path="Subdirectory">
<system.web>
<authorization>
<allow roles="Power Users"/>
<deny users="*"/>
</authorization>
</system.web>
</location>
<location path="Subdirectory/AdminsAndPowerUsers.aspx">
<system.web>
<authorization>
<allow roles="Admins,Power Users"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

I'm not sure how inconvenient this will be until I get further along in
my development effort.

But the roles attribute in the sitemap works for this authorization
scheme as well.

Rob

Jakob Lithner wrote:
First to make myself clear:
I have several roles but we can simplify the case and list three of them:
- Members
- Editors
- Admins
Theyr are not mutually exclusive, so a user in the Editors role also belongs
to the Members role.

You wrote this:
"For navigation node(treeview node, menu item)'s visibility(whether it can
be displayed to a certain user) on navigation controls, it is controlled by
both the <authorization> setting and the "roles" attribute in
<siteMapNode>. And by default, if you have enabled security trimming in
sitemap provider. e.g. (.....)
and you haven't manually specify any "roles" attribute for the
<siteMapNode> in the web.sitemap file. The visibility of each sitemapnode
is (then?) determined by <authorization> setting."

I would like this to be the case, but this is not what happens.
It would be fine if the <authorization> setting was only checked as an extra
security check for nodes that I in the sitemap decided to show.
Instead it ADDS permission so the node is shown where it shouldn't!

I do specify roles="Editors" on one of my nodes.
But this node is visible even for users that don't belong to this role.
I guess it is because I in the web.config specify <allow roles="Members"/>.

I guess the conclusion is that I need to create 10-15 directories to match
all my roles and specify corresponding sections in each web.config. That is a
lot of double work just to ensure the navigation nodes and the files have
corresponding authorizations.

I am pretty sure most people don't solve it like that.

.

Relevant Pages

  • Re: User.IsInRole with * wildcard, web.sitemap etc.
    ... my scenario is fairly non-standard, i would accept that, although my reports page is invaluable: it dynamically generates UI controls to match parameters for any SP, and then binds the results to an enhanced GridView with built-in excel export etc.. ... User.IsInRole with * wildcard, ... You use the <authorization> element in web.config for that - the sitemap just uses this information - and the role attribute in the sitemap file allows to override the information found in the authorization element for visual presentation. ... since i'm using the querystring to specify a sproc, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: last ot again :White House defends money for banks
    ... Gee, if Congress isn't happy how the money is being used, why didn't they specify it in the authorization? ...
    (rec.outdoors.rv-travel)
  • Re: last ot again :White House defends money for banks
    ... Gee, if Congress isn't happy how the money is being used, why didn't they specify it in the authorization? ...
    (rec.outdoors.rv-travel)
  • Re: User.IsInRole with * wildcard, web.sitemap etc.
    ... You don't specify any authorization requirements in web.sitemap!!! ... You use the <authorization> element in web.config for that - the sitemap just uses this information - and the role attribute in the sitemap file allows to override the information found in the authorization element for visual presentation. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: using AspNetActiveDirectoryMembershipProvider question
    ... if you set securityTrimmingEnabled in the sitemap provider, it will read from the <authorization> sectionto determine which links to display to the user in the navigation. ... For example mapping the roles from Active Directory to the siteMapNode ...
    (microsoft.public.dotnet.framework.aspnet.security)