I have a handful of sites that use AD groups that handles user’s access to these sites. With either read-only, read-write, or access denied if they are not in the appropriate group. This works great in a production environment but in order to handle this
in tst and qa I really need another set of ad groups. I am working under one domain for test, qa, and prod.
I have done this in the past, but wanted some feedback. I plan on creating an ASP.NET site that will manage access security for all internal websites. These sites are all written in ASP.NET on a local intranet. The security site will store the user rights
in a database (website name, access rights). The security site will be installed in each area (test, qa, prod). When a user access a site it will call a method in a common security layer and query the security database to verify if they have access. I
do not want to use a forms based security, I would rather tie it to AD and this still pulls the username from AD and checks the DB for access rights.
From what I see it is either this or create an AD Group for each site/are: AD-PROD, AD-TEST, AD-QA and test if the user is in that group. I have some override code in place now in a config file for rights in test, and QA, but I would rather handle that
at a higher level, maintenance / security site and pull the rights from database.
My goal is to end creating AD groups for security. We have a bunch for many reasons other than just website security rights. I am thinking handling this in a Security Admin Website using a database backend cleaner than more AD groups.
PatrickRR
Member
114 Points
53 Posts
User Access Rights to Windows Authtenticated websites / alternative to ad groups
Aug 15, 2012 09:08 PM|LINK
I am looking for some feedback.
I have a handful of sites that use AD groups that handles user’s access to these sites. With either read-only, read-write, or access denied if they are not in the appropriate group. This works great in a production environment but in order to handle this in tst and qa I really need another set of ad groups. I am working under one domain for test, qa, and prod.
I have done this in the past, but wanted some feedback. I plan on creating an ASP.NET site that will manage access security for all internal websites. These sites are all written in ASP.NET on a local intranet. The security site will store the user rights in a database (website name, access rights). The security site will be installed in each area (test, qa, prod). When a user access a site it will call a method in a common security layer and query the security database to verify if they have access. I do not want to use a forms based security, I would rather tie it to AD and this still pulls the username from AD and checks the DB for access rights.
From what I see it is either this or create an AD Group for each site/are: AD-PROD, AD-TEST, AD-QA and test if the user is in that group. I have some override code in place now in a config file for rights in test, and QA, but I would rather handle that at a higher level, maintenance / security site and pull the rights from database.
My goal is to end creating AD groups for security. We have a bunch for many reasons other than just website security rights. I am thinking handling this in a Security Admin Website using a database backend cleaner than more AD groups.
PatrickRR
Member
114 Points
53 Posts
Re: User Access Rights to Windows Authtenticated websites / alternative to ad groups
Aug 16, 2012 07:36 PM|LINK
Looking for any security experts thoughts on the approach on the previous post. Thanks.