在我的asp.net MVC应用程序我使用的activedirectorymembershipprovider。在Active Directory中我已经创建了几个角色（组）类似，在这个例子简单起见，正常和管理员。

In my asp.net mvc app i am using the activedirectorymembershipprovider. In the active directory i have created a couple of roles (groups) similar to, for simplicity of this example, "normal" and "administrator".

我目前询问用户是否在角色中，通过获取的HttpContext的IPrincipal的，并呼吁User.IsInRole（nameOfRoleGoesHere）;

I am currently querying whether user is in role by getting the IPrincipal of the httpcontext and calling User.IsInRole(nameOfRoleGoesHere);.

行为即时寻找是我能问用户是否属于角色管理员，然后隐式地询问用户是否处于低于所有角色（在本例中的作用正常将低于管理员）。 由于我的角色主要是垂直的（如果让任何意义上的）这种角色继承似乎是有道理的我此刻的应用程序。

The behaviour im looking for is for me to be able to ask whether user is in role "administrator" and then implicitly be asking whether user is in all roles below that (in this case role "normal" would be below "administrator"). As my roles are mainly vertical (if that makes any sense) this kind of role-inheritance seems to make sense for my application at the moment.

我怎样才能得到这种行为 - 我必须执行一些自定义的逻辑让我问的角色管理员，但抽象出实实在在的正常，并在幕后的活动目录管理员 - 或者是可以组结构，在Active Directory中莫名其妙地自动给我这个问题？

How can i get this behavior - must i implement some custom logic allowing me to ask for role "administrator", but abstracting away actually asking for both "normal" and "administrator" in the active directory behind the scenes - or is it possible to structure groups in active directory somehow giving me this behaviour automatically?

道歉asp.net，Active Directory和.NET安全的任何误解，总在我的一部分 - 我是菜鸟和试验

Apologies for any gross misunderstandings of asp.net, active directory and .net security on my part - i am rookie and experimenting.

推荐答案

AD支持组的概念是另一个组的成员？

AD supports the concept of a group being a member of another group?

所以，你可以有以下内容：

So you could have the following:

用户：安妮，鲍勃，查理，道格拉斯·埃利奥特，弗雷德和乔治

Users: Anne, Bob, Charlie, Douglas, Elliot, Fred and George.

角色：普通，编辑，管理员

然后在定义每个组为：

管理具有以下成员：乔治

编辑具有以下成员：管理员，道格拉斯·埃利奥特

Editor has the following members: "Admin", Douglas, Elliot

正常具有以下成员：编辑，管理，安妮，鲍勃，查理

Normal has the following members: "Editor", "Admin", Anne, Bob, Charlie

所以，你知道，乔治是正常的，编辑和管理中的一员，因为管理员的所有成员都包含在这些组中，而道格拉斯编辑器和普通的一员，安妮只是一个普通用户，公元会说的是的，乔治是一个普通用户的如果你问吧。

Therefore, you know that George is a member of Normal, Editor and Admin, because all members of Admin are included in those groups, while Douglas is only a member of Editor and Normal, and Anne is just a Normal user, and AD would say "yes, George is a Normal user" if you asked it.

但是：没有（据我所知）的官方，MS支持ActiveDirectory中的 RoleProvider ，将填充RolesPrinciple与正确的AD角色 - 有一对夫妇在那里像你有什么定义为你的角色提供这一个在codePLEX？

HOWEVER: There isn't (as far as I know) an offical, MS supported ActiveDirectory RoleProvider that would populate the RolesPrinciple with the correct AD roles - there are a couple out there like this one on CodePlex what have you defined as your role provider?

默认ASP.NET角色提供者不支持角色层次，所以你要么需要：

The default ASP.NET role provider doesn't support role hierarchies, so you would either need to either:

把用户的每次访问的角色，并且只选择您感兴趣的作用。 把用户就可以访问最厉害的角色，然后检查每一个应该有访问角色。 在写/找到一个角色提供支持层次 - simiply由如果用户在一个更高阶的作用返回真。 Put the user in each role they have access to, and only check for the role you're interested in. Put the user in the most powerful role they can access, and then check for every role that should have access. Write/find a role provider that supports hierarchies - simiply by returning true if the user is in a higher order role.