0

I have a windows service, and want to define two roles (administrator and reader) for all the users whoever tries to access my service. So that whoever is assigned with administrator role can have full control over my system, whereas reader can only do readonly operations.

So, looks like I have two options.

Approach using Database

I can simply use database to maintain and their corresponding roles. so, whenever I get a request based on user context, I can validate by querying the db and validate it.

It sounds simple option, but how to make it safe?

  • For ex, if some looks at my code in reflector, they can find out which table and manipulate the contents so that they can exploit this solution :(

Approach using Directory Services (AD LDS - LDAP)

Looks like Microsoft defined Active Directory lightweight Directory Service particularly for this purposes. I can probably define my own roles and probably add windows security principals to them so that only the AD LDS administrators can manipulate - looks like better approach.

But, I am not sure how to do this programmatically in c# - can any one give me pointers so that I can have a quick start?

Finally, which option is better/recommended and why?

Update:

Looks like these two User Group and Role Management in .NET with Active Directory , What does "active directory integration" mean in your .NET app? gives me some detail in what I am looking for, and it looks like its probably take some time before I consolidate these to define approach for my app :)

Best Regards!

Community
  • 1
  • 1
Dreamer
  • 3,371
  • 2
  • 34
  • 50

1 Answers1

1

This will get you the SID of the groups
You just need to determine the SID of the group you determine to be admin 

System.Security.Principal.WindowsIdentity identity = System.Security.Principal.WindowsIdentity.GetCurrent();
Debug.WriteLine(identity.Name);
foreach (System.Security.Principal.IdentityReference ir in identity.Groups) Debug.WriteLine(ir.Value);
paparazzo
  • 44,497
  • 23
  • 105
  • 176