I have an active directory related question that I am really hoping someone can help me with ill give a Tl;Dr; first then more details below please let me know anything you think might be helpful.
Can DNN articulate what user is trying to access a file on a network to the file system?
So rather than:
AD[ allows user access to portal ] -> user requests a file on the portal -> DNN grabs this through its AD permissions -> DNN determines if the file can be served to the user through its permissions
I would like:
User is logged into portal through AD -> user requests a file on the portal -> the portal articulates to the file system "I am making this request on behalf of this AD user" -> file system can deny the request because the AD user does not have access to the file despite the fact that DNN as an AD user may have access.
Reasoning: certain files on our network NEED to be managed through the AD permissions for data privacy reasons but I would like for our portal to be able to allow access or deny access to certain confidential resources at the file system level so that even an administrator or someone cannot manipulate DNN to access files that they cannot access.
- Detailed Info --------
The way I understand AD to work is that AD manages groups and users within those groups and within the file system you can articulate what users/groups are allowed to access a resources through those group assignments.
So "If I belong to a group that has access to a file/folder on a network -> I have access to that resource" (Kind of a truism).
I would like to setup some folders on our DNN servers that have the ability to have read/write access to them that is managed by the file system and not by DNN permissions.
The way that I currently understand a request flow to work is:
1. AD determines if I [the user] have access to the DNN portal
2. When loading a page DNN requests files from the file server [through the "DNN User" (not my permissions but the sites permissions)]
3. DNN makes the determination if it will serve a file or not based on the permission I [the user] have been given within the DNN permission structure.
What I would like is:
1. AD determines if I [the end user] have access to the DNN portal
2. When loading a page DNN requests files from the file server but communicates to the file system that its requesting these on behalf of me [the end user]
3. If I [the end user] do NOT have access to a particular file even though DNN [the "user" in AD] would, it will deny DNN the file because I [the end user] am not permitted access to the file within the AD structure/file system.
I would like to be able to setup certain files/folders to which the site permission structure cannot grant ANYONE access to if it is denied to a user/group on the file system/AD level.
Please let me know if i can clarify any of this it's all a bit confusing and thank you ahead of time for any help I might receive!!!