8

I'm not sure if this is possible, but I'd like to limit my users to specific areas of an Intranet site based on their membership in specific Global Groups created in SQL Server.

For example, I've got the following menu in ASP:

    <div class="clear hideSkiplink" id="MainMenu">

        <asp:Menu ID="NavigationMenu" runat="server" CssClass="menu" 
            IncludeStyleBlock="False" Orientation="Horizontal" 
            BackColor="#CC3300">

            <Items> 
                <asp:MenuItem  NavigateUrl="~/Default.aspx" Text="Home" Selectable="true" />
                    <asp:MenuItem NavigateUrl="~/Forms/frmCensusList.aspx" Text="Census Editing"/>
                    <asp:MenuItem NavigateUrl="~/Forms/frmRoster.aspx" Text="Roster Editing"/>
                    <asp:MenuItem NavigateUrl="~/Forms/frmReportMenu.aspx" Text="Reporting"/>
                    <asp:MenuItem NavigateUrl="~/About.aspx" Text="About"/>
                   <%-- <asp:MenuItem NavigateUrl="~/WebForm1.aspx" Text="Test"/>--%>
            </Items>

        </asp:Menu>
    </div>

And then the following in the Code Behind that limits what "security level" can see the "About" page:

protected void Page_Load(object sender, EventArgs e)
{
    string path = Request.AppRelativeCurrentExecutionFilePath;
    foreach (MenuItem item in NavigationMenu.Items)
    {
        item.Selected = item.NavigateUrl.Equals(path, StringComparison.InvariantCultureIgnoreCase);
    }

    // If the user isn't an Admin, hide the About menu option
    string ActiveUser = System.Web.HttpContext.Current.User.Identity.Name;
    string SecurityLevel = ActiveUser.SecLevel();
    if (SecurityLevel != "ADMIN")
    {
        MenuItem mnuItem = NavigationMenu.FindItem("About"); // Find particular item
        if (mnuItem != null)
        {
            NavigationMenu.Items.Remove(mnuItem);
        }
    }

}

SecLevel() is a function I created that's based on a table of user's IDs, but maintaining the table is a pain, plus future projects are going to be a pain to compile the original table, and it will just be easier if I can do this based on existing Global Groups.

Anyone got any suggestions?

ekad
  • 14,436
  • 26
  • 44
  • 46
Johnny Bones
  • 8,786
  • 7
  • 52
  • 117
  • 1
    It depends. DBA and network admin are not necessarily the same person. Do you have an access to Global Groups? Usually DBA remove Domain Admin Global Group from local administrators when SQL Server is been set up/istalled. I am afraid you may find that "separate table" approach is your option afterall. – Pavel Nefyodov Aug 15 '13 at 09:28
  • AFAIK, Global Groups are not created in SQL Server, they're created in a Domain (specifically in AD). They can then be added to SQL Server as a Login, but SQL Server does not administer them and has limited functions to interrogate them. – RBarryYoung Aug 15 '13 at 13:52

4 Answers4

6

Your Global Groups are probably just Active Directory Security groups. You can do this with not too much difficulty by using the builtin ASP.NET Role Provider, web.config entries to control which groups/roles can see which menu items, and binding your menu control to use a web.sitemap file. All of this combined with securityTrimmingEnabled. will ensure your menu options are shown to to users in the groups you have defined. If these are not AD groups, you can still do this but would have to create a Custom Role Provider which could check against your SQL Server groups or simply use the table you have already created.

Your web.config location entries will end up looking something like this based on the example you provided, with entries for each of the pages you want to allow the user to see:

  <configuration>
   <location path="~/About.aspx">
      <system.web>
         <authorization>
            <allow roles="ADMIN"/>
            <deny users="*"/>
         </authorization>
      </system.web>
   </location>
   <location path="~/Forms/frmCensusList.aspx">
      <system.web>
         <authorization>
            <allow roles="CENSUS,ADMIN,ETC"/>
            <deny users="*"/>
         </authorization>
      </system.web>
   </location>
  <location path="~/Forms/frmRoster.aspx">
      <system.web>
         <authorization>
            <allow roles="ADMIN,ROSTER"/>
            <deny users="*"/>
         </authorization>
      </system.web>
   </location>
   ...

</configuration>


 <system.web>
  <siteMap defaultProvider="XmlSiteMapProvider" enabled="true">
    <providers>
      <add name="XmlSiteMapProvider"
        description="Default SiteMap provider."
        type="System.Web.XmlSiteMapProvider "
        siteMapFile="Web.sitemap"
        securityTrimmingEnabled="true" />
    </providers>
  </siteMap>
</system.web>

Sample web.sitemap:

<?xml version="1.0" encoding="utf-8" ?>
<siteMap xmlns="http://schemas.microsoft.com/AspNet/SiteMap-File-1.0" >
  <siteMapNode url="~/forms/frmCensusList.aspx" title="Census" description="" roles="ADMIN,CENSUS">
  <siteMapNode url="~/forms/frmRoster.aspx" title="Roster Editing" description="" roles="ADMIN,ROSTER">
  <siteMapNode url="~/forms/frmReportMenu.aspx" title="Reporting" description="" roles="ADMIN,REPORTS">
...
  <siteMapNode url="~/About.aspx" title="About" description="" roles="ADMIN">
</siteMap>

See this SO article for more information

Community
  • 1
  • 1
Rich
  • 896
  • 6
  • 15
2

1.Create a MainMasterPage and a UserMasterPage and a AdminMasterPage.
2.UserMasterPage and AdminMasterPage use from MainMasterPage.
3.Input the menu in MainMasterPage.
4.In login page if user and password is valid:

Session["ActiveUser"] = txtUsername.Text;
Session["SecurityLevel"] = //get role to ActiveUser from database and set to this session.

5.in UserMasterPage Page_Load: 

if(Session["SecurityLevel"]==null)
    {
        Response.Redirect("~/login.aspx");//go to login page
    }
    else
    {
        if(Session["SecurityLevel"].ToString()!="User")
        {
             Response.Redirect("~/login.aspx");//go to login page
        }
    }

6.in AdminMasterPage Page_Load:

if (Session["SecurityLevel"] == null)
    {
        Response.Redirect("~/login.aspx");//go to login page
    }
    else
    {
        if (Session["SecurityLevel"].ToString() != "ADMIN")
        {
            Response.Redirect("~/login.aspx");//go to login page
        }
    }

7.Then admin pages use from AdminMasterPage and user pages use from UserMasterPage.

Samiey Mehdi
  • 9,184
  • 18
  • 49
  • 63
1

I think you can do this by role managing way , If you do this way , you can easily do it ,for 

if (!System.Web.HttpContext.Current.User.IsInRole("ADMIN"))
    {
        MenuItem mnuItem = NavigationMenu.FindItem("About"); // Find particular item
        if (mnuItem != null)
        {
            NavigationMenu.Items.Remove(mnuItem);
        }
    }
Ramesh Rajendran
  • 37,412
  • 45
  • 153
  • 234
0

It would be more straight forward to use

NavigationMenu.Items.RemoveAt(0);

This will remove the first menuitem

NavigationMenu.Items[0].ChildItems.RemoveAt(1);

This will remove the second child of the fist menuitem

NavigationMenu.Items[0].ChildItems[1].ChildItems.RemoveAt(1)

This will remove the second child of the second child of the fist menuitem

Ajay
  • 6,418
  • 18
  • 79
  • 130