Search This Blog

Tuesday, June 20, 2017

Linking XAF security roles and Active Directory Security Groups by name

We have recently created a new help topic devoted to one of the popular scenarios our users described: How to: Assign the Same Permissions for All Users of an Active Directory Group. This topic demonstrates how to map XAF security roles to AD groups. When a user logs on for the first time, existing roles with names matching the user's AD group names are automatically assigned. If the user membership in AD groups was modified, the associated roles collection will be updated accordingly on the next logon. Take special note that the corresponding XAF security roles with required permissions and matching the names of AD groups must be created first!

This article also required for us to avoid confusion with the AuthenticationActiveDirectory component name, because it does not support Active Directory Security Groups out of the box.  What this component does is just allow logging by the currently logged Windows user automatically or without the logon form.  To initialize the created XAF security user record, the AuthenticationActiveDirectory authentication uses the WindowsIdentity.Name property of an object obtained via the static WindowsIdentity.GetCurrent method to get a user name in the DOMAIN\USERNAME format.

I want to point out one implementation aspect that might be unclear: why did we create a AuthenticationActiveDirectory descendant instead of handling the CustomCreateUser event, which looks simpler? The main reason for using the descendant is that with it, the synchronization of XAF security roles is easier to implement when AD groups are updated.

I hope you find this example helpful. Please let us know in comments if you experienced a similar scenario and describe how you are currently handling it. Thanks in advance!


No comments:

Post a Comment