If you want to learn the basics on how to connect to UMRA with its COM object, please see my original post on “Basics of UMRA COM”.Role Bases Access Control (RBAC) is huge in any Active Directory environment, and during the creation of a few of the projects I’ve had to build, I was tasked with using UMRA to handle the RBAC on a internet/intranet webportal. How can UMRA handle and manage RBAC in a web portal? Very easily, since UMRA has the abilty to work hand in hand with your Active Directory and other ODBC Databases. We can now have IIS pull back the user who is accessing the portal with “Microsoft’s Integrated Authentication”, then have UMRA take this users information, and go into active directory pull back different attributes from user, and even go into other ODBC databases, and pull additional information from the user. Then on our webpage, we can have different functions, to figure out what type Role Bases Access the users has.
I will show you one example below, of how I was able to handle a specific clients request to have 2 RBAC types, one is “Admins”, and the other is “IT Staff”. The way the Users were separated in Active Directory was by specific group memberships. Admins – were part of “domain admins” and IT Staff – was part of “IT Staff”.
Below is how I would check what RBAC a specific user has when trying to come into a access a company web portal. There are 2 portions to this script, 1 is the UMRA script itself, all it has in it is, 1 “Get user (AD)” and “Get Attribute (AD), the Get Attribute will get the “memberof”, these are the groups the User is a part of.. If you need help setting this script up, please see my posts here:
Below is the example VBScript:
'Create/Set VariablesAnd there you have it, you now have a vbscript that will check to see if the user who is accessing the portal, is of a RBAC you’ve set, and if not, set a session for that.
Dim RetVal
Dim UMRA_Server
Dim UMRA_ Port
Dim UMRA_Project
UMRA_Server = "MyServerName"
UMRA_Port = 56814
UMRA_Project = "Get User Details"
'End Create/Set Vairbales
Set Umra = Server.CreateObject("UMRAcom.Umra") ' Creates a new reference to the UMRACom DLL
RetVal=Umra.Connect(UMRA_Server,UMRA_Port) ' Use the "Connect" Method, it will take 2 paramaters UMRA_Server and UMRA_Port
RetVal=Umra.ExecuteProjectScript(UMRA_Project) ' Use the "ExecuteProjectScript
Method, takes 1 paramater UMRA_Project.
if RetVal = 0 Then ' Check to see if we are connected to the UMRA project
Umra.SetVariableText "%usergroups%", usergroups ' Get the variable in the UMRA project
'Check User Group Memberships
if InStr(usergroups,"domain admins") >= 1 Then
Session("User_Type") = "Domain Admin"
else if InStr(usergroups,"domain admins") >= 1 Then
Session("User_Type") = "IT
Staff"
else
Session("User_Type") = "No Access"
end if
end if
Blog Update July 28th 2009
I am going to update this blog since any UMRA Portal is going to have some type of User Access Control on it. The above UMRA Example is a great way to get your User RBAC types in and functional, however alot of the times, your RBAC types change on a daily or monthly basis, so having to update the UMRA Portal code each time this happens might be a little tuff to do since there could be alot of pages you will need to update. So what is the new approach to this method? The new approach that I use is to intergrate a database and RBAC creation / edit form into the mix. We can still hard code the first RBAC type into the UMRA Portal and this will never change. Typically what I will do is just hardcode one group "Domain Admins" if you are part of this group, you will have the ability to edit RBAC types on the fly, adding, modifying etc. on the fly. Typically I will store this data in an access database, however, MSSQL is perferable if its avaiable, I will store the RBAC type, and what group its binded to. But then I will take this a step further, and we can talk about the logistics of this later...but I will also link this into what function are "in" the portal. A function like "Manage Users", or "Password Reset" are examples of functions, these can be turned off/on depending on what you want your new RBAC to control. So now you are able to create UMRA based Roles on the fly, bind them to an Active Directory Group, then set Function level access all on fly, you dont need to code custom pages anymore.
Now, we will stay on the concept of being able to control your UMRA Portal dynamicly from an admin menu, and talk about some more of the nifty things you can do to help ease your RBAC type changes. Since you now have a quick menu to control RBAC types, you can now get more granular with your functions. So for example, instead of turning something off/on for a certin RBAC type, you can now have it so these functions can go into workflows or pass through and hit Active Directory. So for example, if you just created an "Manger Level 1" RBAC type, and binded it to the group "Seattle Managers", anyone who has this group membership in Active Directory will be set as "Seattle Managers". Now, you will allow this RBAC type to edit a users firstname and lastname, however you dont want it to hit Active Directory right away, maybe you want it to go into a workflow to email "IT Staff" with a ticket to let you know that user xxxx wanted to change joe's firstname to "Billy" if "IT" approves this, then it would then hit Active Directory, but if "IT" didn't approve this, it would email associated parties and advise. Now on the flip side, maybe you have another RBAC type called "Baltimore Managers" they can do the same thing as "Seattle Managers" however, when they edit a users firstname or lastname, it will hit Active Directory. As you can see these are some very handy ways to really control your RBAC types, and functions in your portal on the fly, no need to code any new logic.
