Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeDNN Open Source...DNN Open Source...Provider and Extension ForumsProvider and Extension ForumsAuthenticationAuthenticationActive Directory: Administrators group and nested group issuesActive Directory: Administrators group and nested group issues
Previous
 
Next
New Post
6/14/2012 5:14 PM
 
jcoehoorn


Joined: 4/24/2012
Posts: 9

I'm a first time dnn user, so be gentle. I'm working on migrating an existing site for a small college (here: http://www.york.edu) to a new dotNetNuke install (currently here: http://web.york.edu), and I have some questions about the security setup.

We're using Active Directory authentication, which I have installed and appears to be working... mostly. Here is what I'm not clear how to do:

  • It wants me to create Active Directory groups with names that match my dnn groups. No big deal... except for the Administrators group. We have a few people that need to be in this group, but we don't want to add them to the built-in Administrators group in Active Directory. That would be bad. When everything is up and going, we'll have a web team outside of IT that will own the site, and needs to be able to do things like install Extensions, etc, and we want to control this from within Active Directory.
  • Even users who are in the administrators group don't end up with superuser or other other important privileges. 
  • When setting up individual pages, we want to give each of our coaches access to a page or several pages for their teams... preferably an "area" defined by a single parent page where they may even be allowed to create additional pages that are children of that page, but not create pages elsewhere. We want the main athletics office manager/Athletics Director to have access to the individual pages of each team by virtue of setting up Active Directory groups for the teams as children of a larger Athletics group that the office manager would also belong to (nesting). We want to control this access from Active Directory. Athletics is not the only nested example, but it's the biggest and most complicated. I'm not sure what that might look like matching it to DNN. 

Help on any of those issues is appreciated.
 
New Post
6/15/2012 12:07 AM
 
Mike Horton


Joined: 7/16/2003
Posts: 4865

The Administrators role is special. It is never affected by anything in the Active Directory unlike other roles that match an Active Directory security group. What I mean by that is if a user is in the administrators group on the AD it will not add that user to the administrator role in DNN. Same goes if you remove a user from the AD administrators group. This is done so that someone doesn't accidentally get admin rights to a DotNetNuke portal. So treat the administrator role just like you would if you weren't using the AD provider.

So... in your case.. when you're ready you'll have to make the web team role the administrative role on the site. I've never done that and a quick look through a 6.1.4 test site that I have I couldn't find anywhere to set a role as administrator but I did find how to set a particular user as administrator. However in the Portals table in SQL there is a field for the AdministratorRoleId so, in theory, you could update it to the RoleId of your web team (I make no guarantees that you won't hose your site with this).

Superusers have to be applied manually in the SQL Users table by changing IsSuperUser to true.

This would be no different than if you weren't using the AD provider. All you need to do is give whatever group (or each coach) edit rights to the parent page you want them to have those abilities. They'll be able to add/delete/edit content of any modules on that page and had child pages to their page but no where else.
 
New Post
6/15/2012 10:31 AM
 
jcoehoorn


Joined: 4/24/2012
Posts: 9
It seems weird to me to need to directly manipulate the database and go around/subvert the application logic itself... I've worked in shops where that kind of thing could get a guy fired. That said, I'm very comfortable with the procedures involved, and as this has not gone live yet I'm willing to give it a shot. I can try the database change today for the AdministratorRoleId field, and if it somehow breaks things I can restore to last night's backup and no one will ever know (Of course I'll be sure to post the results).

One more question: as it stands, this is going to require creating 18 new and related groups in the top level of our domain tree. That's a lot of clutter. Is there anyway to have the groups themselves listed under a separate OU that is devoted to this purpose, even though the users themselves are at the top level?
 
New Post
6/15/2012 3:03 PM
 
jcoehoorn


Joined: 4/24/2012
Posts: 9
Just to follow up on the suggestion to change the AdministratorRoleID field.

I tried that and what happened is that it does use the new group, but it treats it just like the old administrators group, down to the behavior of not copying users out of active directory for that group. So it seems there is no way to sync administrator users from active directory.
 
New Post
6/16/2012 2:01 PM
 
Mike Horton


Joined: 7/16/2003
Posts: 4865
I agree that you shouldn't need to directly manipulate the database but in my quick look around I couldn't find anywhere you could set it in a portal. I suspect it's a feature that was either dropped or never implemented.

I'd have to look at the code (as I haven't looked at the logic for this section in quite awhile) but I'm suspecting I'm just looking at whether the role has admin rights and not specifically if it's the administrators role. A quick test would be to see if administrators on the domain are now being added to the administrators role in the portal.

Edit: I missed answering your question about users in the OU. Yes you can do that. It takes the user's information and checks for any groups the user belongs to even if it's only as a child to that group. I.E. You've got the parent group called Coaches and it has as a member the group HockeyCoaches. If the user is a member of HockeyCoaches they also are considered a member of Coaches even though they aren't a physical member of that group.
 
 Page 1 of 1
Previous
 
Next
HomeHomeDNN Open Source...DNN Open Source...Provider and Extension ForumsProvider and Extension ForumsAuthenticationAuthenticationActive Directory: Administrators group and nested group issuesActive Directory: Administrators group and nested group issues


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out