Introduction
Controlling Access to corporate applications usually implies:
- Authentication features, to verify the identity of users entering the applications
- Permission features, to restrict their access to application data and features
Should you need to reuse Windows Accounts stored in Active Directory for authentication purposes, look no further.
Visual Guard is a comprehensive solution for access control in .NET applications. It combines authentication, permissions and auditing features in the same tool.
This article demonstrates how to reuse Windows accounts to authenticate end-users and adapt the application to user permissions.
What Can Visual Guard .NET do for you?
The screenshots below show the result of an application secured with Visual Guard .Net:
- The user is automatically authenticated with the current Windows account.
- The application opens without requesting any user credentials
- User permissions are automatically enforced
Below are a couple of examples of how the application is changed to comply with user permissions:
Example 1: Hide or disable controls
The screenshots below show an employee form WITHOUT and WITH restrictions enforced by Visual Guard: a field is hidden and a button is disabled.
Example 2: Filter data
You may have to restrict access to sensitive data.
The example below filters a list to hide records that the user should not access.
You can also hide columns or specific fields if needed…
Prerequisite
For this tutorial, you need Microsoft Visual Studio 2008 or Visual Studio 2005 installed. The code samples below are for integration in a winform C# application. Code samples for winform VB.NET or ASP.NET are available here.
Free 30-day trials are available from the Visual Guard website.
Step 1: Declaring Windows account in Visual Guard
To do so, you will use the Visual Guard Console (no coding).
Open the Visual Guard Console and log in with the default master administrator account (Username=’Admin’ / Password=’pwd’).
Master administrators have full access to all features. Other roles are available for developers, administrators and auditors who will only perform development, identity management or auditing tasks.
In the console, open Repository=>Users, right click and select “Add Windows User or Group”.
The following dialog box opens:
Select the Windows accounts or groups you want to grant access to your application. In one repository, Visual Guard can manage accounts coming from several domains, as long as they belong to the same forest.
Step 1 is completed, Windows accounts are now declared in Visual Guard Repository.
We will now:
- Integrate your application with Visual Guard
- Create a permission to restrict access to your application
- Grant this permission to a Windows account
Step 2: Integrate Visual Guard in your Application
Integrating Visual Guard into your application is very simple.
- Reference Visual Guard assemblies in your project
Open your project in Visual Studio (2005 or 2008) and add the assemblies of Visual Guard as references of your project, as shown below:
VisualGuard.Security
is the main assembly and is always required.
- Then you should include the assembly corresponding to your applications type (Winforms, Webforms, WebServices).
- Finally, you will include the assembly corresponding to your repository (Oracle, SQLServer, File).
- Add the following code:
This code will authenticate the user with the current windows accounts and load its permissions for this application.
using System;
using System.Collections.Generic;
using System.Windows.Forms;
using Novalys.VisualGuard.Security;
using Novalys.VisualGuard.Security.WinForm;
namespace ADdemo
{
static class Program
{
Entry point of the application
[STAThread]
static
void Main()
{
Application.EnableVisualStyles();
Application.SetCompatibleTextRenderingDefault(false);
security
VGAuthorizationState
state = VGSecurityManager.LoadSecurity (
System.Security.Principal.WindowsIdentity.GetCurrent());
if
(state.IsFailed)
{
if
(state.IsUserNotFound)
{
MessageBox.Show("Your
are not declared in the security repository");
}
else
{
if
(state.IsUserNotAuthorized)
{
MessageBox.Show("Your
are not authorized to log on to this application");
}
}
}
else
{
Application.Run(new Form1());
}
}
}
}
- Create a repository and declare your application
In Visual Guard Console, open the menu [File - Add repository] and follow the wizard instructions. Select “create a new empty repository”, then choose “File” as repository type, indicate the name and location for the new file repository, and make sure you select Windows authentication mode.
Visual Guard is now integrated with your application, and your application has been declared in the repository.
You will find a similar example for ASP.NET applications here
Step 3: Define a permission and grant it to a Windows Account
Here is how it works:
A user is granted a role.
A role contains a permission set.
A permission set contains permissions.
A permission contains technical actions.
By default, permissions are hard-coded in the application.
This possibility still exists with Visual Guard. However, the tool offers an interesting alternative, based on the .NET reflection mechanism.
You can declare permissions within Visual Guard (instead of writing code in the application), and Visual Guard will apply them dynamically at runtime. Bottom line, security rules are separated from the application code and can evolve without accessing this code. You can add or modify permissions, grant permissions to roles and grant roles to users at runtime. No need to rebuild your application when maintaining security!
Most Visual Guard permissions consist in changing object properties to restrict user access (disabling or hiding controls, filtering grids…). More complex permissions are also available to cover specific needs (using values from the database, relying on conditions…).
Let’s make an example:
Right click on ‘permissions’, select ‘new permission’, and name it ‘hide employee address’.
Right click on this new permission and select “new property action” (meaning that you will define an action that will change a property in your application).
VG permission editor opens. This wizard will let you define:
- When to execute this action (on which event, under which condition)
- Which object.control.properties you want to change
- Which value should take these properties
As mentioned before, this is just a declaration stored in VG repository, you will not write code in your application.
- Select the object modified by this action.
At this point, Visual Guard lists all the objects in your application, using .NET reflection. You can then select the object ‘Employee’ to modify it.
- Define when to execute this action.
By default, the action will be executed just after Visual Guard loads the Security. You can execute the action when any event is triggered in the application, as well as define a condition for this action to be executed
- Select the controls and properties you want to modify, select the property you want to modify and change its value.
For example, in our case we will decide to hide the address and birth date field:
In the permission editor:
- Select all corresponding fields at the same time
- Select the ‘visible’ property
- Select ‘false’ as the value for this property
- Click the ‘Finish’ button.
The permission is now defined; you still have to grant this permission to users.
Therefore, you should:
- Include this new permission in a permission set (drag & drop)
- Grant this permission set to a role (drag & drop).
- Grant this role to user accounts (username/right click/Edit role list).
Now if we open the application from the current Windows session, the address fields of the employee have been dynamically hidden.
If you want to see more about Visual Guard .NET visit www.visual-guard.com: