Get the name of the currently logged in user
See if they belong to a specific security group

You can get the user name of the currently logged in user and check their membership in a Windows Security Group using the IsInRole method exposed by the System.Threading namespace.

According to MSDN, "VB.NET's managed code can discover the identity or the role of a principal through a Principal Object which contains a reference to an Identity Object".

What's this mean? Think of Identity and Principal objects in terms of User and Group accounts. User accounts represent people and Group accounts represent categories of users and the rights they possess. In the .NET Framework Identity objects represent individuals such as users, roles represent security group memberships and rights and Principals represent the combination of an Identity and its roles (Ex. Administrator, Power User, Backup Operator, etc.).

In the .NET Framework, the Principal object encapsulates both an Identity object and a role and represents the security context under which code is running. So to check a user's membership in a security group we need to use the Principal object.

Wait, there's more. From the operating system's perspective each process and all its threads have an associated security token that uniquely specifies the identity, group membership, and privileges of the thread. From the .NET Framework point of view, each thread has a Principal associated with it that determines the identity of the thread and the roles it supports. However, the .NET Runtime may associate a Principal to a thread that differs from the security token used by the operating system.

To check for security group membership you must set the Principal Policy to use the WindowsPrincipal corresponding to the current security token (e.g. current user). Principal policy is set on a per AppDomain basis.

This leads to the following code:

    Imports System.Security
    Imports System.Threading
    '
    ' Create an Identity object. Get the current domain\user.
    ' Parse out the domain name.   
    '
    Dim aID As Principal.WindowsIdentity
    Dim aName As String = aID.GetCurrent.Name
    Dim aDomain As String = aName.Substring(0, aName.IndexOf("\") + 1)
    '
    ' Associate the WindowsPrincipal object with your app's thread.
    ' aDomain & "GROUP_NAME" is of the form <domain name>\<your group name>.
    '
    AppDomain.CurrentDomain.SetPrincipalPolicy( _
         Principal.PrincipalPolicy.WindowsPrincipal)

    If Not Thread.CurrentPrincipal.IsInRole(aDomain & "GROUP_NAME") Then
        MsgBox("Authorization Failure.", MsgBoxStyle.Critical, "Error")
        Application.Exit()
    End If

If you want to check membership in one of the standard, built in groups, you can use the IsInRole method that takes an enumerated value:

    Imports System
    Imports System.Security
    Imports System.Threading

    AppDomain.CurrentDomain.SetPrincipalPolicy( _
         Principal.PrincipalPolicy.WindowsPrincipal)

    Dim WP AS WindowsPrincipal
    WP = Thread.CurrentPrincipal
    Debug.WriteLine(WP.IsInRole(WindowsBuiltInRole.Administrator))

It's critical to place the current principal into the WP variable first. This insures the .NET compiler uses the correct overload signature for the IsInRole method.

The book "Visual Basic .NET Code Security Handbook" contains an excellent description of .NET security.

As an aside, in an ASP.NET application the application does not run under the user's Id. Instead it runs under the ASP Id, typically ASPNET. To get the Id, use this:

   strID = Environment.UserName




About TheScarms
About TheScarms


Sample code
version info

If you use this code, please mention "www.TheScarms.com"

Email this page


© Copyright 2024 TheScarms
Goto top of page