Requirement:
We have created DQS Knowledgebase, Domains, Domain Values/Rules using DQS client provided by SQL.
Now, we need to invoke DQM Knowledgebase, domain values , Rules from .Net application using an API. User should be able to provide input values and select the Domain, Value/Rule. User should get corrected Output value with attributes such as confidence level on operation execution
We are able to achieve this using SSIS but we are looking for APIs which can be used in ASP .net client application.
Approach: So far Approach we have taken is, configure Master Data Manager web service, this allows programmatic use of the features of Master Data Service (DQS can be integrated with Master data service).
This WCF service have set of Data Quality Service Operations such as DataQualityCleansingOperationCreate, DataQualityKnowledgeBasesGet, DataQualityMatchingOperationCreate, DataQualityOperationStart, DataQualityOperationResultsGet.
Reference: http://msdn.microsoft.com/en-in/library/hh230995.aspx
Problem:
we are not able identify the exact implementation sequence of these operations. We are trying to find out,
How we can provide Input values to these operations, How to select the Operation to perform, How to associate Domain, values, rules, references to operation. How to read the result object.
Any help/pointers or alternative approach are appreciated.
Thanks in advance.
Om
You cannot programmatically use/access DQS functionality because its not supported in the current version of DQS.
This fact that DQS will not provide any public APIs in SQL Server 2012 is clearly documented in Q.12 of DQS FAQs on the TechNet Wiki: http://social.technet.microsoft.com/wiki/contents/articles/3919.data-quality-services-dqs-faq.aspx#Q_12_Will_DQS_provide_public_APIs.
Thanks,
Vivek
Related
We have a legacy system that uses a resource/action based authorization. Recently our company has decided to use a LDAP server as a repository for both Authentication and Authorization.
I haven't worked with LDAP servers before but as far as I have learned we can define our schema for different objects.So I have searched the Net for a simple example of implementation of a resource/action based authorization using LDAP and I haven't found anything (Everybody is talking about users,group and roles)
So two questions come to my mind :
Is it a good idea to use LDAP for a resource-action based authorization
(Since I could not find a good example of how to do that)
If yes, how can we implement it? (Any google result would help :) )
PS: Our application is written in C#. Are there any good open source LDAP client out there that we can use or we should go with .Net DirectoryServices ?
You can take a step back and look at the bigger access control / authorization use case. IF you want to do resource-action based authorization, you can roll out ABAC, the attribute-based access control model.
ABAC is an evolution of RBAC and identity-centric authorization. It was designed by NIST, the same organization that standardized RBAC.
With ABAC, your LDAP server becomes a source of attributes. An attribute is simply a key-value pair. The benefit if using ABAC in your case is that you do not need to extend or change your LDAP schema.
With ABAC, you achieve the following benefits:
you externalize the authorization logic to a central policy decision point
you express the authorization logic as policies instead of roles
the policies can use any attribute of the user, resource, action, and context
You can express the following scenarios in ABAC:
a user with the role==manager can do the action==edit on a document if the document.location==user.location
XACML, the eXtensible Access Control Markup Language implements ABAC. You can read more on XACML and ABAC here:
ABAC: NIST project page.
XACML introduction & architecture.
You will need to deploy an interceptor (policy enforcement point) in front of the applications you want to protect.
LDAP is very flexible and you can define whatever schema you want but it's not an obvious task.
I would say it's very suitable for your case but I know of no default schema for that. Googling a bit , I found this RFC which might give you a starting point. Would that match what you need?
Regarding .Net library: is it a "pure" LDAP server or an Active Directory server ?
It seems DirectoryServersupports both so I would stick with it. Note that for a pure LDAP server, you would have to connect using System.DirectoryServices.Protocols.LdapConnection.
SO entries like this one would probably be helpful too.
Hope this helps.
I am working with an asp.net application in .net 4.0. I have configured it to use windows integrated authentication.
What I want it to do is use the user groups on my pc/server as if they were roles. I can't find documentation or mention of it anywhere from my google results.
The reason this is required is because we have a COTS product which does this and we want to reuse the groups as roles.
Could I get an example or a pointer to some documentation so I can figure out how to do it?
The end result here was that we communicated with our Sever Services team who were more than happy to help us use Active Directory to come up with a Corporate solution instead of using individual server user stores. This is a much better solution as the groups are reusable and integrate with other applications too.
The lesson here is that engagement with IT services with a business case is always worth the effort.
I am writing a new version of a Delphi app in WPF/MVVM. It is not a complete redesign from the ground up, but rather just replacing Delphi code with WPF code, with a few modernization changes. I currently only have access to the running Delphi app, not source, but will have that soon.
Currently authentication uses a database query for a user name and hashed - I suspect it's not quite one way, but must address that later than today - password. How do I store that a user is authenticated, to check for access to all application commands and data? A simple private boolean in the User view model, an instance which is contained in the top level, application, view model? Or maybe when I extend to authorization, simply the fact that the User view model has been allocated a null list of permissions? What is normally done here?
The application is an access control and time and attendance management app for a very large international corporation, so security levels need be fairly high. Using AD is not feasible at this point due to the equally massive user base and list of access rights, and the rewrite is on very high priority.
Not a simple question, actually.
This doesn't fit as a comment, so I'm posting this as an answer:
what is the architecture of your application? 2-tier? 3-tier?
are you using WCF for the communication?
who are the users of your application? Windows users?
from where is your application used? In a Windows domain? Over the Internet?
Those questions might help you decide which way to go.
For example, if you're using 3-tier architecture, WCF for the communication, application used on a Windows domain, you might be interested in a non-custom authentication (you could use Windows authentication). See MSDN (Authentication, Authorization, and Identities in WCF).
I have a ASP .NET application that we give to our clients for them to deploy it in their web server and use it. My concern is that all of my ASPX pages source code is open
and our clients can open the ASPX/CS file and see the code in it.
I want to protect my code something like a Windows application by implementing some 15-20 days trial limitations. Also on the other hand the source code must have some third party dll so that whenever they try to deploy the fresh build, it will be available for limited period only.
The payment terms with our client is, First Source Code and then Payment. So I am thinking some in between way that the faith at both side remain as it is. How can I do this?
Publish your web application so that all the code behind files are compiled into a dll. This way they cannot easy see your code. They will however be able to use reflection to see the code using tools such as jetBrains dotPeeek.
Best Option
Host the site yourself but as this doesnt answer your question here are some other options
1st Option
If the client insists on hosting the site as they are concerted about owning the data then allow them to host the site and database but pull in the functionality from a centrally hosted site that you are in control of. You can even provide an api.
You provide the client with a hash code in the web.config and this gets validated against your site.
The hash gets made up from:
presalt
the web service address
the expiry date
client uniqueidentifier
any other info you want
postsalt
Encrypt the request and response of the web service and send via ssl.
The client hash will be sent in the request. Build a new hash with the same fields and validate this against the hash you received from the client. if it is not valid you don't provide the functionality.
Google maps requires that you register and get a hash code as they can then terminate your usage of the google maps api if you misuse it.
2nd Option
Another option would be to setup a web service call to a site that you host.
The deployed compiled web application would then build a hash using the response from your web service and match the generated hash with the hash you sent over in the response.
This means that if the client block traffic to your web service or tried to fake the response then the application will stop working.
Also add some logic to alert you if they have tried to fake the response. This obviously wont work if they block the call to your web service.
You wouldn't include the salts here as the client could read them if they decompiled your code.
3rd Option
Add two fields to your web.config:
the hash code which you have generated for the client
an expiry date.
If the client changes the expiry date to allow them more time then it will not validate and they will be locked out.
Opion 2 and 3 would allow the client to reverse engineer the hashcode if they really wanted to.
=====================================
I don't really see the need for it but if you want you can use some obsfucation tools like mentioned in the other post to make it harder for the client to read your code. But even if they can read your code they should not be able to create a valid hash code on their own.
I suggest you check out .NET Reactor and Intellilock. .NET Reactor will prevent decompilation of compiled code, however with aspx I'm not sure how this will work since it would need to be pre-compiled. Intellilock will provide the ability to set an expiration time. I've used both with standard executables but never ASPX so I'm not sure if they'll help.
Link: http://www.eziriz.com/
DotFuscator Community Edition is a possibility, but it's probably too basic for your needs.
I suggest you look at the commercial obfuscators on the market. Here's a list of some I found with a simple Google search. (This is not a recommendation of any of these tools.)
.NET Obfuscator from Red Gate Software (I've used their Reflector tool in the past and it was good.)
You could make your own. See this StackOverflow thread.
Here's a thread on MSDN
I've looked to many sources, and found many examples, but none really fit the situation that I hope to take a project to. I am writing a bunch of WCF services, some publicly accessible, others not (server to server), that will allow a fully flexible cloud app that ensures the ability to scale out the service as needed through Azure. I am unsure which way to go with message authentication, as I want to make sure a particular user logged in, can perform different tasks, and prevent others from running those tasks.
Most of what I have seen uses roles or ASP.NET membership. I have my own custom membership users will use to login with, and I don't rely on standard membership providers, or active directory. What is your recommendation? I thought about just creating a token that is created on successful login, that is stored within a cookie, added as a parameter passed into each method, but with some research, I think this might be able to be handled without modifying all my methods.
What are your thoughts?
You can easily implement authentication without needing to manually pass a token into all your functions by using UserNameAuthentication and writing a custom validator - there is a fairly straightforward tutorial here
If you use UserNameAuthentication, you will need to use SSL/HTTPS, which means you'll need to get a server certificate - this is a good idea anyway for most business applications.
At the server side you can get the identity of the current user:
IIdentity wic = OperationContext.Current.ServiceSecurityContext.PrimaryIdentity as IIdentity;
use basic authentication and have the webservice authenticate against your membership store.