FileSystemObject security

[talenx]

Hello all, has any one figured out how to control access to folder/file resources using the FileSystemObject properties. I guess when user access a folder share via web they use the IUSR_machine user account. Correct me if am wrong but that would mean that you would only have the ability to set security to the IUSR_machine user account. i have File portal that I have users access centralized resources. I need to be able to control who has access to what. preferably along the same lines as windows AD controls security, whether it's through a database or script.

I seen some web apps that have security built in , the ability to set folder permission as well as control user access though I'm not sure how they did it.



any thoughts?


thanks

talenx

 

[Tarwn]

Ok, if we assume that you will have a folder that is the highest the user can go when browsing then one solutions would be to require NT Login for that folder (through IS control panel) then you can just set up NT users with differant access and depending who they login as (or if you use Domain Logins and they are already logged in as a Domain user on their machine it aill be auto-magic) then they will get differant read/write settings.

Another option would be to use a database and a login then check a table to see what the user is allowed to access. This method requires a little bit more work (building db, building tool to add/edit users/preferebnces, etc) but also means that you can add/edit users/preferences remotely without passing around NT security on open networks and you can specify things more in detail.

With the second one you have 3 choices of how to store allow/deny information. You can either store every single filename or foldername with "allow" or "deny" for every single user, you can only store "allow"'s, or you can only store "deny"'s. you will also need to decide whether you want to do this on the folder level or for each individual file.
At a minimum I think you would need the following:
Database:
Table Users:
user_id - unique id, autonumber or incrementing integer
user_name - string, user login name
user_pass - string, password

Table FileSystem:
fs_id - unique id, autonumber or incrementing integer
fs_local_name - string, filename or folder name without path
fs_file_path - string, actual path, ex: "C:\Inetpub\

http://wwwroot\shared\aFile.txt"

fs_virt_path - string, virtual path, ex: "/shared/aFile.txt"

Table Permission:
p_id - unique id, autonumber or incrementing integer
fs_id - foreign key to FileSystem table
user_id - foreign key to user table
p_allow - boolean, false for deny, true for allow

This was on the fly so I may have missed something. If you wanted to only list allow or deny values (instad of both) you wouldn't need the P-allow field, the presence of the record in the Permissions table would mean it was Allowed or Denied (dependant on which one you go with).

Admin Pages I would want:
CreateUser, ListUsers, EditUsers
Add FileItem, ListFileItems, Edit FileItem, Delete FileItem
Add Permission, ListPermissions, Delete Permission
Admin Menu

The layout would be something like:
Admin Menu Links: CreateUser, ListUsers, Add FileItem, ListFileItems
ListUsers Links (next to each user on list): EditUser, DeleteUser, ListPermissions
ListFileItems Links (next to each file item on list): Edit Fileitem, DeleteFileItem
ListPermissions links(next to each permission): DeletePermission
Edit User links: List Permissions, Add Permission, EditUser

I'm starting to get carried away, another few lines and I'll end up writing the whole thing Hope this helps in some fqshion, even if you don't end up using it, keep an eye out for anything I may have missed, i did write this design on the fly so it's posible I overlooked something,

-T

_{01000111 01101111 01110100 00100000 01000011 01101111 01100110 01100110 01100101 01100101 00111111}
The never-completed website:

http://www.tiernok.com/

 

[talenx]

Wow...
Tarwn , First thanks for the quick reply, and second (do your fingers hurt? ) also it sounds like you have done this before…
Funny you should mention the database solution because I was in the process of attempting to run with it, unfortunately this file server has files automatically placed on it by a reporting service that runs every morning, were talking around 250 - 350 file per day, inputting ALL of those file and folders would take for ever not to mention it would need to happen every day. I have look around for some ideas on how to automate this , but no success.
the other option I was looking at was writing a vbs script using the WshShell and cacles.exe method to set folder and file permissions having a asp page execute the script I have seen the WshShell command used before.. though I will need to do some research as to how to send variables to it and execute. one of my concerns is the access that users have to the resources over the intranet. If the IUSER_machine user account has read/write access to all directories and all users that access the intranet site use that account then how would you set the security for say.. An individual user or group in your domain?

thanks
talenx