Re: Granting permissions in ADAM
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 13 Dec 2006 15:35:09 -0600
No, you can't do that. ADAM grants rights based on security principals.
You'd need to do IP address restrictions with a firewall, although the built
in one in Windows should work for that if you want to use it.
In order to do this with ADAM ACLs, you would most likely want to apply the
ACLs based on the identity of the Windows service account that will run the
web application (unless you are using impersonation/delegation; then it gets
very complex). For example, if you run a web app as NETWORK SERVICE on
MACHINEA, then you would do ACLs based on the domain SID for the MACHINEA
computer account in AD. If the web server is not in a domain, this will
likely get icky, so hopefully you won't try to make that work.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"abhi_chow" <abhichow@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:802F580E-F4C8-45E0-AB09-688CA06D827B@xxxxxxxxxxxxxxxx
Thanks Lee. That helped.
Is there a way we can grant or deny permissions to an IP address instead
of
user / group DN or SID ?
When I try giving the IP-Address then it throws an error, "No Sid found
for
<IP-Adress>.
Thanks,
Abhi
"Lee Flight" wrote:
Hi
to grant read access to users a good first pass is to add the ADAM Users
role (or users group that you may have created) to the ADAM Readers role.
To allow the user to update their own information you can grant NT
AUTHORITY\SELF
principal Read Property and Write Property access to either specific
attributes or a property set e.g. personal information. It's best to
choose
a suitable point in the directory tree, say the root of the a users part
of
the tree and then grant the Users role (or group
of your own) List Contents on that container and grant inheritable
permissions for the SELF principal on the child object attributes. It's
difficult to give generic examples
but something like:
dsacls \\localhost:389\ou=users,o=myorg /G
"cn=users,cn=roles,o=myorg":LC
for List Contents if your users are below ou=users,o=myorg and then
dsacls \\localhost:389\ou=users,o=myorg /G "NT AUTHORITY\SELF:RPWP;;"
/I:T
or for say just the properties in the personal information property set
dsacls \\localhost:389\ou=users,o=myorg /G "NT
AUTHORITY\SELF:RPWP;personal
information;" /I:T
as always try these things in a test environment first.
Hope that helps
Lee Flight
"abhi_chow" <abhi_chow@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:25E3C70B-FA1E-4996-AD2E-4AC33CC8E8E6@xxxxxxxxxxxxxxxx
Hi,
To Grant/Deny permissions in ADAM, we need to use dsacls.exe command in
the
ADAM command prompt.
I need to provide permissions such that barring Administrators, all
other
users should have write permisssions on only one's own attributes and
only
READ permissions on the attributes of other users.
Can you please help me in regard to what command should be used in this
case?
Any help will be highly appreciated.
Thanks in advance!
Abhishek.
.
- References:
- Re: Granting permissions in ADAM
- From: Lee Flight
- Re: Granting permissions in ADAM
- From: abhi_chow
- Re: Granting permissions in ADAM
- Prev by Date: Forest level is 2000, domain level is 2003
- Next by Date: Re: Forest level is 2000, domain level is 2003
- Previous by thread: Re: Granting permissions in ADAM
- Next by thread: Re: Granting permissions in ADAM
- Index(es):
Relevant Pages
|
