I'm trying to determine the best route and options I have for securing a particular folder that users can access reports from in .net 4.0. My application stores reports that have been run in a folder on the server and by using the specified url link they
can access this folder and specific reports. I'm trying to lock this folder down to allow access to only certain users (I have 3 specific types of users). To further isolate them I can create three seperate folders within the parent folder for these groups.
The trick here is how do you setup permissions on these folders for hundreds of users that are in three different role levels. Also, to complicate it further is it possible to set permissions on these folders to allow only certain users within the same group
to be able to access these folders?
Standard Setup Below:
Super Group - access to Super, Medium, and Small group folders
Medium Group - medium group folder and Small Group folder
Small Group - access to small group folder
Advanced Setup:
The ability to let certain users in certain groups cross over and view things they otherwise couldn't from the above concept in certain cases. So for example letting a Small Group user view just a particular report in the Medium Group folder.
Is any of this possible? Thanks for any feedback and help with this
Are you familiar with the URL authorization mechanism in IIS? It allows you to control access to an entire directory and it can be role-based. In web.config in the directory you want to secure you'd want something like:
Thanks for the response Brock....Yep, I'm fimilar with that and it was honestly the only way other than setting it up in IIS that I'm aware of on how to do this to a certain degree.
The trick to that though is say I have 100 users in a Manager role and I want 10 of them to be in an Admin role, but only for certain things? So they technically are still in the Manager role but can view "certain" things only Admins are supposed to be
able to see, but not everything. So going back to my reports folder...How do you setup authorization on a folder that is dynamic in nature meaning users can jump out of roles to view certain things they otherwise shouldn't be able to (a certain report for
instance that their role otherwise doesn't allow)?
Admins have 10 reports that are viewable and I want 2 Managers to be able to view 4 of those certain reports but not the others.
EDIT: Reading briefly on URL authoring it seems this is possible, but knowing who can view what up front would be necessary. To get my dynamic requirement to work I'd have to set it all up through code and constantly change/update it which could prove
to be a nightmare if at all possible.
EDIT II: Also would dynamically creating and updating roles through code be advisable and would that trigger IIS to recycle itself as its a web.config change? Or would the changes made dynamically not have an effect until IIS was recycled (which I believe
might be the case)?
Yea, so maybe what you need is to actually serve the files up via a http handler or something similar where you can implement your authorization logic.
The other idea is that if you're in a Windows Server AD 2012 environment there are new policies where you can build logic into what types of users can view which files and this can be done from a central location (instead of on a DACL on the file itself).
Here'sa a vid on some of these new features:
Win Server AD 2012 looks promising, but we're still on 08 R2 and our clients are typically behind the curve on server version updates. However, I think your right with the http handler and doing my custom authorization in code when users try to get at the
files once authenticated and dropping the files into a folder that doesn't allow access outside the root or appdata. At least I think this sounds good.
Thanks again for your thoughts and suggestions Brock.
trag1
Member
23 Points
69 Posts
Folder security/access privileges
Nov 07, 2012 11:14 PM|LINK
I'm trying to determine the best route and options I have for securing a particular folder that users can access reports from in .net 4.0. My application stores reports that have been run in a folder on the server and by using the specified url link they can access this folder and specific reports. I'm trying to lock this folder down to allow access to only certain users (I have 3 specific types of users). To further isolate them I can create three seperate folders within the parent folder for these groups. The trick here is how do you setup permissions on these folders for hundreds of users that are in three different role levels. Also, to complicate it further is it possible to set permissions on these folders to allow only certain users within the same group to be able to access these folders?
Standard Setup Below:
Super Group - access to Super, Medium, and Small group folders
Medium Group - medium group folder and Small Group folder
Small Group - access to small group folder
Advanced Setup:
The ability to let certain users in certain groups cross over and view things they otherwise couldn't from the above concept in certain cases. So for example letting a Small Group user view just a particular report in the Medium Group folder.
Is any of this possible? Thanks for any feedback and help with this
BrockAllen
All-Star
28072 Points
4996 Posts
MVP
Re: Folder security/access privileges
Nov 08, 2012 12:21 AM|LINK
Are you familiar with the URL authorization mechanism in IIS? It allows you to control access to an entire directory and it can be role-based. In web.config in the directory you want to secure you'd want something like:
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <security> <authorization> <add accessType="Allow" roles="Admin, Manager" /> <add accessType="Deny" users="?" /> </authorization> </security> </system.webServer> </configuration>For more info search for IIS URL Authorization (which is different than ASP.NET URL authorization, mind you).
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
trag1
Member
23 Points
69 Posts
Re: Folder security/access privileges
Nov 08, 2012 12:31 AM|LINK
Thanks for the response Brock....Yep, I'm fimilar with that and it was honestly the only way other than setting it up in IIS that I'm aware of on how to do this to a certain degree.
The trick to that though is say I have 100 users in a Manager role and I want 10 of them to be in an Admin role, but only for certain things? So they technically are still in the Manager role but can view "certain" things only Admins are supposed to be able to see, but not everything. So going back to my reports folder...How do you setup authorization on a folder that is dynamic in nature meaning users can jump out of roles to view certain things they otherwise shouldn't be able to (a certain report for instance that their role otherwise doesn't allow)?
Admins have 10 reports that are viewable and I want 2 Managers to be able to view 4 of those certain reports but not the others.
EDIT: Reading briefly on URL authoring it seems this is possible, but knowing who can view what up front would be necessary. To get my dynamic requirement to work I'd have to set it all up through code and constantly change/update it which could prove to be a nightmare if at all possible.
EDIT II: Also would dynamically creating and updating roles through code be advisable and would that trigger IIS to recycle itself as its a web.config change? Or would the changes made dynamically not have an effect until IIS was recycled (which I believe might be the case)?
BrockAllen
All-Star
28072 Points
4996 Posts
MVP
Re: Folder security/access privileges
Nov 08, 2012 01:08 AM|LINK
Yea, so maybe what you need is to actually serve the files up via a http handler or something similar where you can implement your authorization logic.
The other idea is that if you're in a Windows Server AD 2012 environment there are new policies where you can build logic into what types of users can view which files and this can be done from a central location (instead of on a DACL on the file itself). Here'sa a vid on some of these new features:
http://channel9.msdn.com/Events/Build/2012/3-052
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
trag1
Member
23 Points
69 Posts
Re: Folder security/access privileges
Nov 08, 2012 02:06 AM|LINK
Win Server AD 2012 looks promising, but we're still on 08 R2 and our clients are typically behind the curve on server version updates. However, I think your right with the http handler and doing my custom authorization in code when users try to get at the files once authenticated and dropping the files into a folder that doesn't allow access outside the root or appdata. At least I think this sounds good.
Thanks again for your thoughts and suggestions Brock.
BrockAllen
All-Star
28072 Points
4996 Posts
MVP
Re: Folder security/access privileges
Nov 08, 2012 02:47 AM|LINK
Yea, figured as much. But just thought I'd throw it out there :)
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/