IAzManApplicationGroup.IsInGroup fails

May 5, 2009 at 6:47 AM
I am using 3.5.4.1

IAzManApplicationGroup.IsInGroup is returning false when the user is actually in the group or true when the user is not in the group.

My test flows as follows:
1. I create 2 Application Group, g1 and g2.
2. I then get Application Group g1 using IAzManApplication.GetApplicationGroup(g1).
3. I test to see if my current windows user exists, using IAzManAppicationGroup.IsInGroup. It returns false like it should.
4. I add my windows user to the group using IAzManAppicationGroup.CreateApplicationGroupMember. I can see the user using the MMC snap-in.
5. I test to see if my current windows user exists, using IAzManAppicationGroup.IsInGroup. It returns false but it should not. 

At the end of this test, both groups have the windows user eventhough g1 IsInGroup reported false.

When I change the order of step 2 and start with g2, IsInGroup reports true for both groups but the user is not in g1.

Brian.

Test Code, this version reports that the user could not be added to g1, but the user is added.

 

public class AzManTests

 

{

 

private string _connectionString = "server=.;database=NewIDASec;integrated security=true";

 

 

private IAzManStorage storage;

 

 

private IAzManStore store;

 

 

private IAzManApplication application;

 

 

public AzManTests()

 

{

 

// setup NetSqlAzMan

 

 

this.storage = new SqlAzManStorage(_connectionString);

 

 

this.store = this.storage["JSD"];

 

 

this.application = this.store["IDA"];

 

}

 

public void Run()

 

{

 

string g1 = "testGroup1";

 

 

string g2 = "testGroup2";

 

 

// create a group

 

 

IAzManSid UserAzManSID = new SqlAzManSID(WindowsIdentity.GetCurrent().User);

 

 

 

this.application.CreateApplicationGroup(UserAzManSID, g1, g1, string.Empty, GroupType.Basic);

 

 

this.application.CreateApplicationGroup(UserAzManSID, g2, g2, string.Empty, GroupType.Basic);

 

 

IAzManApplicationGroup AzGroup = this.application.GetApplicationGroup(g1);

 

 

if (AzGroup != null)

 

{

System.Diagnostics.

Trace.WriteLine(string.Format("group {0} created.",AzGroup.Name));

 

}

 

 

if (!AzGroup.IsInGroup(WindowsIdentity.GetCurrent()))

 

{

AzGroup.CreateApplicationGroupMember(UserAzManSID,

WhereDefined.LDAP, true);

 

}

 

if (!AzGroup.IsInGroup(WindowsIdentity.GetCurrent()))

 

{

System.Diagnostics.

Trace.WriteLine(string.Format("could not add user to group {0}.",AzGroup.Name));

 

}

AzGroup =

this.application.GetApplicationGroup(g2);

 

 

if (AzGroup != null)

 

{

System.Diagnostics.

Trace.WriteLine(string.Format("group {0} created.", AzGroup.Name));

 

}

 

if (!AzGroup.IsInGroup(WindowsIdentity.GetCurrent()))

 

{

AzGroup.CreateApplicationGroupMember(UserAzManSID,

WhereDefined.LDAP, true);

 

}

 

if (!AzGroup.IsInGroup(WindowsIdentity.GetCurrent()))

 

{

System.Diagnostics.

Trace.WriteLine(string.Format("could not add user to group {0}.", AzGroup.Name));

 

}

}

 

}



In this version of Run, IsInGroup returns true, but the user is NOT added to g1

 

public void Run()

 

{

 

string g1 = "testGroup1";

 

 

string g2 = "testGroup2";

 

 

// create a group

 

 

IAzManSid UserAzManSID = new SqlAzManSID(WindowsIdentity.GetCurrent().User);

 

 

 

this.application.CreateApplicationGroup(UserAzManSID, g1, g1, string.Empty, GroupType.Basic);

 

 

this.application.CreateApplicationGroup(UserAzManSID, g2, g2, string.Empty, GroupType.Basic);

 

 

IAzManApplicationGroup AzGroup = this.application.GetApplicationGroup(g2);

 

 

if (AzGroup != null)

 

{

System.Diagnostics.

Trace.WriteLine(string.Format("group {0} created.",AzGroup.Name));

 

}

 

 

if (!AzGroup.IsInGroup(WindowsIdentity.GetCurrent()))

 

{

AzGroup.CreateApplicationGroupMember(UserAzManSID,

WhereDefined.LDAP, true);

 

}

 

if (!AzGroup.IsInGroup(WindowsIdentity.GetCurrent()))

 

{

System.Diagnostics.

Trace.WriteLine(string.Format("could not add user to group {0}.",AzGroup.Name));

 

}

AzGroup =

this.application.GetApplicationGroup(g1);

 

 

if (AzGroup != null)

 

{

System.Diagnostics.

Trace.WriteLine(string.Format("group {0} created.", AzGroup.Name));

 

}

 

if (!AzGroup.IsInGroup(WindowsIdentity.GetCurrent()))

 

{

AzGroup.CreateApplicationGroupMember(UserAzManSID,

WhereDefined.LDAP, true);

 

}

 

if (!AzGroup.IsInGroup(WindowsIdentity.GetCurrent()))

 

{

System.Diagnostics.

Trace.WriteLine(string.Format("could not add user to group {0}.", AzGroup.Name));

 

}

}

Coordinator
May 5, 2009 at 9:07 AM

Hi mrbmason,

when you create a Store/Application Group, the first parameter (sid) is not the Owner Sid but the Store/Application Group SID. (I have fixed the Xml Documentation)

In you example when you have called:

IAzManSid UserAzManSID = new SqlAzManSID(WindowsIdentity.GetCurrent().User);

this.application.CreateApplicationGroup(UserAzManSID, g1, g1, string.Empty, GroupType.Basic);
this.application.CreateApplicationGroup(UserAzManSID, g2, g2, string.Empty, GroupType.Basic);

In this way you have created two application groups with the same SID !
This is the reason for which your example does not work.

Use instead SqlAzManSid.NewSqlAzManSid() to create a random new SID:

app.CreateApplicationGroup(SqlAzManSID.NewSqlAzManSid(), "g1", String.Empty, String.Empty, GroupType.Basic);

This is the full example that works:

IAzManStorage storage = new SqlAzManStorage("data source=.;Initial Catalog=NetSqlAzManStorage;Integrated Security = SSPI;");

IAzManApplication app = storage["Test"]["Test"];

app.CreateApplicationGroup(SqlAzManSID.NewSqlAzManSid(), "g1", String.Empty, String.Empty, GroupType.Basic);

app.CreateApplicationGroup(SqlAzManSID.NewSqlAzManSid(), "g2", String.Empty, String.Empty, GroupType.Basic);

IAzManApplicationGroup g1 = app.GetApplicationGroup("g1");

g1.CreateApplicationGroupMember(new SqlAzManSID(WindowsIdentity.GetCurrent().User), WhereDefined.Local, true);

bool isMember = g1.IsInGroup(WindowsIdentity.GetCurrent()); //result is true
[…]

Regards,

Andrea.

May 5, 2009 at 1:38 PM
Andrea,

Makes sense.

Thanks,

Brian
May 5, 2009 at 7:09 PM
Andrea,

Should I be allowed to create 2 groups with the same SID? Shouldn't I get an error? If not, when would it be ok for 2 groups to have the same SID?

Thanks,

Brian
Coordinator
May 5, 2009 at 9:15 PM

Hi Brian,

the Store/Application Group SID could be not unique to allow you to create Store/Application Group “alias” (from .NET code only).

In certain situation may be usefully.

On the SQL Server side the Store/Application Group Primary Key is an Identity column.

Regards,

Andrea.