Mapping Active Directory Groups to Roles

Mapping Active Directory Groups to Roles

  
Sorry if this has been asked time and time again, but I have not seen a valid enough solution to this problem.

We are on the 9.0.x version of the platform.  Our apps are currently configured with AD/Integrated authentication.

However, we need the ability to auto-map a user's AD group to a pre-configured role that is set up in each application.  I have been able to do this in a one-off scenario via the OnBeginWebRequest action, but the role being assigned is hard-coded as there is no way to look up a role by name.

What I need to be able to do is created a shared module that can allow each application that references it to be able to verify that a user exists in a particular AD group that the application requires and then map that to an OS role that is used to govern authorization to web screens.

The point where I am stuck is being able to grant a role to a user by name rather than using the Grant[RoleName]Role action.

Should I just skip this entire concept of even trying to map OS roles and just expose a cached action that checks their group membership each time the OnBeginWebRequest action is fired?  This requirement for us seems to be quite painful to implement, but I may be doing something wrong.

Any help is appreciated.
Hi Michael,

A couple of things:
  1. If the roles are in different applications (modules), the only way for you to look up a role by name is to import the Role table (from the system reference) and query directly
  2. Granting a role in these conditions will also require that you write directly to the User_Role table
Are the users you're trying to grant roles already in the platform?

What we typically do is:
  1. Find the user in the platform (Users). If it's not there, then we need to create it
  2. Find the groups the user has in AD
  3. Map the groups with the roles in the platform (using the Role table)
  4. Create or Update the user-role (using the User_Role table) - This will grant the role
In the middle of this process you might need to also verify that the user still has a valid role, meaning he belongs in that group.
This is normally done at login time to ensure that the user has the right permissions.

Let me know if you have questions, if you need we can have a skype call or something.
Renato Pauleta wrote:
Hi Michael,

A couple of things:
  1. If the roles are in different applications (modules), the only way for you to look up a role by name is to import the Role table (from the system reference) and query directly
  2. Granting a role in these conditions will also require that you write directly to the User_Role table
Are the users you're trying to grant roles already in the platform?

What we typically do is:
  1. Find the user in the platform (Users). If it's not there, then we need to create it
  2. Find the groups the user has in AD
  3. Map the groups with the roles in the platform (using the Role table)
  4. Create or Update the user-role (using the User_Role table) - This will grant the role
In the middle of this process you might need to also verify that the user still has a valid role, meaning he belongs in that group.
This is normally done at login time to ensure that the user has the right permissions.

Let me know if you have questions, if you need we can have a skype call or something.
 
We are using non-persistent roles.  So, in OnSessionStart or OnBeginWebRequest, we grant the roles.  I'd prefer not to write directly to the roles table unless this is a valid thing to do.  What I'm surprised about is that in a standard custom .NET Web application, I can return a list of AD groups like claims and use them from the application.  Not so with OutSystems as the OS role needs to be created within OS, then manually granted in some way.

Because of this restriction, we need to map AD groups to OS roles.  If an application has 20 roles because different departments access different parts of the application, we have to write this enormous action and a for loop to check each valid role and also see if they are in it, then call the Grant action.

If writing to the User_Role table directly is a more valid approach, I think we can do that and it would avoid needing to dynamically call the role actions to Grant.

Either way, we're still looking for the best way to allow Active Directory security groups manage how application access is granted.  It's not ideal how it works in OS.