Question
I wrote my own membership / role / profile providers for authenticating users in an Active Directory domain. I am trying to use roles in roles to grant permissions to users in ADDOMAIN by adding their AD group as a member of the corresponding print role. If I log in as an AD user, I don't seem to have permissions for the sitecore role, however, if I log in as the sitecore user in the same sitecore role, I will get permissions. Is there something that I am missing in the membership / role providers that I need to include in order to make this work or is there something else in the game here?
We use Sitecore version 6.4, if that matters.
SOLUTION The answer from @Yan completely solved the problem. The problem is that access to the language is allowed only to users of the sitecore domain (via sitecore \ Everyone). When creating AD users, they are in a different domain and do not inherit these language permissions. The fix is ββto grant read / write permissions specifically for the AD domain, or, as I have already done, create another syntax role and assign the necessary permissions for this role, and then assign AD roles in this role.
Permissions required for installation: lang: read and lang: write to the main database on the element / System / Languages ββ/ [LANGUAGE: en in my case]. If you do not see these permissions in the security editor, click the Column button and select these columns.
More details
I apologize in advance for the level of detail.
I wrote my own membership / role / profile providers for authenticating users in an Active Directory domain. We do not use the AD module provided by sitecore, because we want our users to see only certain groups and users, and not every user / group in AD. I am also only trying to provide authentication services and roles, because I do not want sitecore administrators to modify AD users or roles.
The role I'm testing is called sitecore \ Content Author, because it has the permissions that I want my AD users to have. AD users are part of the ADDOMAIN \ Web-Authors-Group in AD, and as part of sitecore, I installed this group as belonging to sitecore \ Content Author. The user ADDOMAIN \ sitecoreauthor1 is a member of the ADDOMAIN \ Web-Authors-Group in AD, and I also have the sitecore user of \ bcauthor, who is a member of the sitecore \ Content Author role. I also created a separate syntax role called sitecore \ SecondAuthorRole, and the user sitecore \ secondAuthor in this role to verify that the roles role functions are working properly.
If this is confusing, here is a visual representation:
Sitecore roles
sitecore \ Content Author
- sitecore \ bcauthor
- ADDOMAIN \ Web-Authors-Group
- sitecore \ SecondAuthorRole
sitecore \ SecondAuthorRole
- sitecore \ secondAuthor
Active Directory Groups
ADDOMAIN \ Web-Authors-Group
- ADDOMAIN \ sitecoreauthor1
If I register the sitecore \ bcauthor file, I can do everything that the sitecore \ Content Author role can do. If I log in as sitecore \ secondAuthor, I can also do anything that the sitecore \ Content Author role can do. However, if I log in as a user of ADDOMAIN \ sitecoreauthor1, I do not seem to have any rights to the sitecore \ Content Author role.
More info
Permissions for the home item (which is the object I'm testing):
ar|sitecore\Content Author|pe|+item:rename|+item:write|+item:delete|+item:create|pd|+item:rename|+item:write|+item:delete|+item:create
code
Here's the skeleton of classes that read-only providers implement for membership, roles, and profile:
Membership Provider Class
public class DirectoryMembershipProvider : System.Web.Security.MembershipProvider { public override string ApplicationName { get; set; } public override bool EnablePasswordReset { get { return false; } } public override bool EnablePasswordRetrieval { get { return false; } } public override int MaxInvalidPasswordAttempts { get { return 100; } } public override int MinRequiredNonAlphanumericCharacters { get { return 0; } } public override int MinRequiredPasswordLength { get { return 1; } } public override MembershipPasswordFormat PasswordFormat { get { return MembershipPasswordFormat.Clear; } } public override string PasswordStrengthRegularExpression { get { return ""; } } public override bool RequiresQuestionAndAnswer { get { return false; } } public override bool RequiresUniqueEmail { get { return false; } }
Role provider
public class DirectoryRoleProvider : System.Web.Security.RoleProvider { public override string ApplicationName { get; set; } // not implemented public override void AddUsersToRoles(string[] usernames, string[] roleNames) public override void CreateRole(string roleName) public override bool DeleteRole(string roleName, bool throwOnPopulatedRole) public override void RemoveUsersFromRoles(string[] usernames, string[] roleNames) // implemented functions public override string[] FindUsersInRole(string roleName, string usernameToMatch) public override string[] GetAllRoles() public override string[] GetRolesForUser(string username) public override string[] GetUsersInRole(string roleName) public override bool IsUserInRole(string username, string roleName) public override bool RoleExists(string roleName) }
Profile Provider
public class DirectoryProfileProvider : System.Web.Profile.ProfileProvider { public override string ApplicationName { get; set; } public override int DeleteInactiveProfiles(ProfileAuthenticationOption authenticationOption, DateTime userInactiveSinceDate) { return 0; } public override int DeleteProfiles(ProfileInfoCollection profiles) { return 0; } public override int DeleteProfiles(string[] usernames) { return 0; }