Search code examples
asp.netasp.net-mvciisauthorizationuser-roles

Mapping AD groups to roles without custom role provider (.NET MVC)

I'm looking for a simple and intuitive (for future maintainers) way to map Active Directory groups to roles/permissions in my ASP.NET MVC application that uses Windows Auth. Similar to this question ASP.NET MVC Roles without database (and without role provider) but since that question was asked eight years ago, there may be new answers.

  • I want to define certain roles in my application. (i.e. reader and editor)
  • I want to use windows authentication.
  • I want to map users and/or groups to those roles using only configuration.
  • I do not want any dependencies between role names in my application and active directory group names.
  • I would prefer not to code my own role provider or introduce third party components. (I could write one easily, but that adds to later maintanance)

I actually expected this to be straight forward, but I'm drawing a blank searching. Is there an easier solution than to implement a custom role provider?

I would like something that would lead to a config file conceptually like this:

<configuration>
<system.web>
      <authorization>
        <role name="Reader">
            <add users="bob"/>
            <add users="mydomain\My app readergroup"/>
        </role>
        <role name="Editor">
            <add users="alice"/>
            <add users="mydomain\My app editorgroup"/>
        </role>
        <allow roles="Reader, Editor"/>
        <deny users="?" />
      </authorization>
    </system.web>
</configuration>
Solution

  • I ended up taking a simpler route. I defined local groups, assigned authorization to them and made the domain groups members of the local groups in production.