Hi

I am a complete novice in IIS/ASP but have just turned an old Access
database into my first ASP application on IIS6 with SQL 2K back end.

The app is for internal use on a corporate lan, so I am using integrated
Windows authentication with no anonymous access so that I can identify users
and populate the database with the user details whenever a change is made...

So far so good.

What I would like to do now is restrict access to certain users; i.e.
certain domain users will have more access than others, some will have none
at all..

How do I go about this? Do I have to put code in the ASP pages to handle who
can do what, or can I simply restict access to certain pages; e.g. "only
those in the sales user group can access sales.asp" and "those in the
management group can access management.asp"

Thanks

NH

On Dec 15, 8:30 am, NH <N***@discussions.microsoft.com> wrote:
Show quoteHide quoteThe easiest way to do this is to use asp.net roles. See here for more
information: http://msdn.microsoft.com/en-us/library/aa478958.aspx

HTH,
Dave

On Dec 15, 8:30 am, NH <N***@discussions.microsoft.com> wrote:
Show quoteHide quoteYou are asking about Authorization (i.e. who can do what) after you
have completed Authentication (i.e. who are you?)

IIS provides various standard Authentication Protocols, which you are
already leveraging.

IIS and ASP support Authentication through NTFS ACLs. Thus, if you can
express your Authorization concepts in terms of NTFS ACLs (i.e. Read,
Write, Traverse, List, etc), then you can take advantage of the native
support. For example, if you separate out management tasks into
management.asp, then you can ACL the file to be Read only to users in
the management group to control access.

Otherwise, you will have to build your own Authorization System on top
of ASP.

For example, if you want to have different levels of management tasks
(i.e. Administratrator that can do everything vs vs Management that
can only manage THEIR own employees vs Page Authors that can manage
their own web pages and so on), then you will need to build your own
Authorization System. You can still use distinct web pages and ACLs
for Access Control, but it will quickly become unwieldy given the
nature of your authorization requirements.

If this looks complicated... it can be, depending on your familiarity
with the programming concepts. What you are asking for can EASILY turn
into a massive project which you do NOT want to be your FIRST ASP
application. Depending on what you want to do, you may find off-the-
shelf software that can do what you want. For example, Microsoft
Sharepoint Server is an effective way for office collaboration which
has rich support for authorization, document organization, document
management, user collaboration, etc.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Re: Q: Digital certificate inventory within network?
Windows Authentication Access Denied Error
Web App using integrated Active Directory Authentication
Problem processing SSL certificate response.
IIS Restrictions
Certificate Types
Sharing between server
Internal site configuration
w3wp.exe
localstart.asp vulnerability