none
Active Directory and Authorization (detects my user but doesn't grant what should)

    Question

  • Hi,

    I'm not getting the authorization working with AD. It detects my user login and displayname (so AD communication is OK) but I'm not getting the permissions that I configured. All seems correct but objects that I want to SHOW to certain AD users (me in this test) are not being shown even though I assigned the roles and perms on the Administration screen .

    Is this because I'm running in Debug mode in my dev environment? Do I have to deploy to test if my permission assignments per user/group are working?

    Note: I know about the Grant debug mode. But that's not a valid test because it does not validate that a certain screen is actually being granted to a certain AD user, like I intended.

    Thanks guys.

    Friday, May 25, 2012 1:34 PM

Answers

  • Grant for debug is the ONLY method of granting permission during debugging.

    Roles can only be assigned to AD Users in LightSwitch 2011. You can assign roles to AD Groups or Users in LightSwitch v2 in Visual Studio 11 Beta.


    Simon Jones
    If you found this post helpful, please "Vote as Helpful". If it actually answered your question, please remember to "Mark as Answer". This will help other people find answers to their problems more quickly.

    • Marked as answer by Lisalena Friday, May 25, 2012 8:23 PM
    Friday, May 25, 2012 1:51 PM

All replies

  • Grant for debug is the ONLY method of granting permission during debugging.

    Roles can only be assigned to AD Users in LightSwitch 2011. You can assign roles to AD Groups or Users in LightSwitch v2 in Visual Studio 11 Beta.


    Simon Jones
    If you found this post helpful, please "Vote as Helpful". If it actually answered your question, please remember to "Mark as Answer". This will help other people find answers to their problems more quickly.

    • Marked as answer by Lisalena Friday, May 25, 2012 8:23 PM
    Friday, May 25, 2012 1:51 PM
  • I am indeed using VS11 beta. But it's a bummer to only confirm that authorization is working as intended after deploying.

    I'm hiding/showing certain tabs and buttons via code, depending on AD role/user, and this way I can't validate my code before deployment. I'm certain there's a good reason for this but I was hoping otherwise.

    Simon, thanks and cheers.

    Friday, May 25, 2012 2:13 PM
  • You should deploy to a test installation for final user/acceptance tests and one job there is to confirm security is working OK.

    You should only check for Permissions in your code, not for Roles or Usernames. Roles and Usernames can change over time. Permissions are written into the application code so they can be relied on. If your code checks permissions you can unit test it during debug by granting/removing the various permissions.

    If your code checks if the current user has a particular role it will break sometime in the future if the application administrator add, deletes or renames a role.


    Simon Jones
    If you found this post helpful, please "Vote as Helpful". If it actually answered your question, please remember to "Mark as Answer". This will help other people find answers to their problems more quickly.

    Friday, May 25, 2012 2:29 PM
  • Yes,  sorry, misunderstanding: The code checks for the permissions assigned in "Access Control". The users and roles are then managed in the "Administration" screen. 

    I'm cleaning the dust of an old (previous job) arsenal of VMs, including a domain controller, IIS and DB server. I can then test on my laptop (dev), overcoming my initial issue/question.

    Friday, May 25, 2012 8:21 PM