|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
AzMan - ADAM store.add a group that lives within AD. When I initialize a store within code what does it actually load? Is it only the Role/Task/Operation matrix (I've noticed that if I add an operation after the initialize they don't appear in the operations collection unless I re-initialize the store, this I can live with) What My concern is - If I have a store initialized and I now need to get a client context (via a sid) does the AzMan store test for group membership everytime - or does it cache what users are potentially in what roles when the store is initialized? For example if I have ~250,000 users within N Roles and I add/remove users from the group within AD when I ask to initialize a client context will I get some AzMan cached one? Or do I have to initialize the store for each individual user for every request. So to recap - I initialize a store - the AzMan Roles have AD groups, I initialize a user context a new user is added to the AD group I attempt to initialize a user context with this new user without re-initializing the AzMan store will I get a context? Regards Robert. Hello Robert,
Without having tested it - yes this should work as AzMan does not know anything about users - he only knows about groups/roles which he retrieves, e.g. from the token. --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > If I have a AzMan store within ADAM and I have a role called auditor - > I now add a group that lives within AD. When I initialize a store > within code what does it actually load? Is it only the > Role/Task/Operation matrix (I've noticed that if I add an operation > after the initialize they don't appear in the operations collection > unless I re-initialize the store, this I can live with) > > What My concern is - If I have a store initialized and I now need to > get a client context (via a sid) does the AzMan store test for group > membership everytime - or does it cache what users are potentially in > what roles when the store is initialized? For example if I have > ~250,000 users within N Roles and I add/remove users from the group > within AD when I ask to initialize a client context will I get some > AzMan cached one? Or do I have to initialize the store for each > individual user for every request. > > So to recap - I initialize a store - the AzMan Roles have AD groups, I > initialize a user context a new user is added to the AD group I > attempt to initialize a user context with this new user without > re-initializing the AzMan store will I get a context? > > Regards > Robert. Just a quick follow up after some testing can't verify the test was correct
but on an XP box if I create a local group and add that to the Role, initialise the app store and load an application adding a user to the group donesn't seem to work? the user is not a member of the roles that the group belongs too. Show quoteHide quote "Dominick Baier [DevelopMentor]" <dbaier@pleasepleasenospamdevelop.com> wrote in message news:281796632495870038397264@news.microsoft.com... > Hello Robert, > > Without having tested it - yes this should work as AzMan does not know anything > about users - he only knows about groups/roles which he retrieves, e.g. from > the token. > > --------------------------------------- > Dominick Baier - DevelopMentor > http://www.leastprivilege.com > > > If I have a AzMan store within ADAM and I have a role called auditor - > > I now add a group that lives within AD. When I initialize a store > > within code what does it actually load? Is it only the > > Role/Task/Operation matrix (I've noticed that if I add an operation > > after the initialize they don't appear in the operations collection > > unless I re-initialize the store, this I can live with) > > > > What My concern is - If I have a store initialized and I now need to > > get a client context (via a sid) does the AzMan store test for group > > membership everytime - or does it cache what users are potentially in > > what roles when the store is initialized? For example if I have > > ~250,000 users within N Roles and I add/remove users from the group > > within AD when I ask to initialize a client context will I get some > > AzMan cached one? Or do I have to initialize the store for each > > individual user for every request. > > > > So to recap - I initialize a store - the AzMan Roles have AD groups, I > > initialize a user context a new user is added to the AD group I > > attempt to initialize a user context with this new user without > > re-initializing the AzMan store will I get a context? > > > > Regards > > Robert. > > > 
Other interesting topics
Logon user from service
Running a program with elevated priveleges Getting user ID from Web Service credentials Access to the path is denied: Assembly Permission Problem Using HttpContext from a web server? ISO/IEC 9797-1 MAC Algorithm 3 how to? RSACryptoServiceProvider usage question Parsing X.509 Digital Certificate newbie question How do I filter an Active Directory search to an OU (organizational unit)? Azman System.UnauthorizedAccessException in web services |
|||||||||||||||||||||||
