Hierarchy in user management

[Bob Gregory]

Hi all,

I'm a newcomer to the .Net framework having worked in bog standard
ASP/SQL for far too long.

I have a massive project coming up, for which I will need to model a
tree structure of users. Users can access other entities in the
database depending on their position in the structure and the
properties of those entities.

As a simple example, each user is a member of a store. Stores are
members of storegroups, storegroups may be members of larger
storegroups and so on. Each store has 0-N widgets, those widgets may
or may not be exposed to other stores and storegroups.

Users at the top of a subtree can see any widgets, users, stores and
groups below them, but may be granted permissions on other objects or
subtrees. Users can also be explicitly denied permissions on an object
or subtree.

Are you keeping up at the back? There'll be a short quiz at the end.

I've built one of these things before, and a right pig of a system it
was too, using separate tables for transitive closure. If you're
interested in the method I worked from, check out
[url]http://citeseer.ist.psu.edu/dong99maintaining.html[/url]

This was wonderfully fast for updates, but got painfully slow for the
kind of aggregated selects I need to do for this system.

My question, simply, is what options are available to me in the .Net
framework? I'd rather not have to kludge together a system in an RDBMS
because it gets unwieldy and this thing will need to Scale with a
purposeful capital.

I've looked briefly at directory services, which seem to offer the
right model for the user side of things, but I'd have to tie it into
SQL in such a fashion that a user can retrieve a list of all the
widgets exposed to his subordinate users which aren't explicitly
denied to him.

So, assuming that infrastructure is available by the bucket load
(servers, software, whatever is necessary) what is the best way to
knock something like this up?

-- FlinkyWistyPomm

Ps. I apologise for the vagaries, it's the usual All Your Code Are
Belong To Us situation.

[richlm]

Not much specifically in .NET that can help to solve the
architectural/scaleability issues here.

Using AD to store your organizational heirarchy + users sounds like a good
choice, and I don't think you can avoid having to store your widgets etc. in
SQL server.

You might want to look at Microsoft "Authorization Manager" (AzMan) - a new
feature in Windows Server 2003.
I'm not sure it can address all of your requirements but it might help.

[Bob Gregory]

Hey Rich thanks for the reply,

"richlm" <rich_lm@h0tmai1.com> wrote in message news:<#5tbB1BoEHA.2684@TK2MSFTNGP11.phx.gbl>...

> Not much specifically in .NET that can help to solve the
> architectural/scaleability issues here.

No, I'm more looking for architecture tips, but there isn't a .Net
architecture group that I'm aware of.

>
> Using AD to store your organizational heirarchy + users sounds like a good
> choice, and I don't think you can avoid having to store your widgets etc. in
> SQL server.
>

I'm fine with storing my widgets in SQL, that's what it's for. My
question more specifically, is how can I integrate my user directory
with SQL, or do I need to handle that myself?

IOW, is there a native way to use the results of a search on an active
directory against SQL or do I need to write a wrapper to do all that
for me?

If not then you end up posting delimited strings or XML to SQL to
represent a list of users and that's something I want to avoid if
possible. I suppose I could use a template query and include the
results of my ad search in the template, but I detect the first whiffs
of CodeSmell.

Anyone know anything about returning XML from an active directory?

> You might want to look at Microsoft "Authorization Manager" (AzMan) - a new
> feature in Windows Server 2003.
> I'm not sure it can address all of your requirements but it might help.

I've heard vague rumblings about AzMan. I'll have another look at that
and see what occurs to me.


Cheers

-- Bob

[richlm]

I guess we have to look forward to the day when the AD store is SQL server.
Then maybe we can do this sort of stuff.

Another thing to look at might be the "Authorization and Profile Application
Block" from Microsoft patterns and practices.

[Joseph E Shook [MVP - ADSI]]

Although I don't have a solution for you, I do know that Microsoft
created something similar when they created Commerce Server 2000. They
supplied a User Profile Object along with a configuration architecture
that wrapped access to Active Directory and SQL Server. You may get
some ideas by reading about it. I googled real quick on "commerce
server User Profile Object".

One interesting link on performance characteristics:
[url]http://www.microsoft.com/technet/prodtechnol/comm/comm2000/maintain/perform/upmtca2.mspx[/url]