3.5.4.1 IsPrincipalMemberOf

  • Article

The IsPrincipalMemberOf operation provides a mechanism for verifying whether a specific user is currently a member of specific groups that the requestor cannot expand by contacting the directory itself.

In the IsPrincipalMemberOf operation, the requestor specifies a principal name, the forest of the principal, the target groups for which it needs an answer, and the count of cross-forest calls so far. The responder queries the directory and returns the membership status. IsPrincipalMemberOf MUST return true if the user is a member of at least one of the specified groups and MUST return false otherwise.

A properly formed IsPrincipalMemberOf request MUST contain valid data for each of these elements.

IsPrincipalMemberOf message sequence diagram

Figure 6: IsPrincipalMemberOf message sequence diagram

It is possible that a requested group contains a subgroup in another forest, causing the responder to make a new IsPrincipalMemberOf request to another server before it can respond to the original requestor. To prevent infinite loops or unacceptably long response times, the request specifies a number of servers that have been involved in servicing this group expansion request so far. 

 <wsdl:operation name="IsPrincipalMemberOf">

The SOAP operation is defined as follows.

 <soap:operation
  soapAction=
   "http://microsoft.com/DRM/GroupExpansionWebService/IsPrincipalMemberOf"
  style="document"/>

Request Validation:

The responding server MUST validate the input parameters upon receiving an IsPrincipalMemberOf request. For the GroupExpansionWebServiceSoap port type, the IsPrincipalMemberOf request MUST follow the schema specified in section 3.5.4.1.1.1. See section 3.6.4.1 for additional details regarding a successful binary request.

Data Processing:

For a successful request, the responding server checks the directory for the principal specified in the request and determines whether the principal is a member of one of the groups specified in the request.

If a requested group contains a subgroup in another forest, the responding server SHOULD make a new IsPrincipalMemberOf request to the appropriate server before it responds to the original requestor. In this new request, the count of cross-forest calls so far SHOULD be incremented. This specifies that another server has been involved in servicing this group expansion request. To prevent infinite loops or unacceptably long response times, a server SHOULD reject the request and return a fault if the count exceeds some predefined maximum.<23>

Response:

For the GroupExpansionWebServiceSoap port type, a successful IsPrincipalMemberOf response MUST follow the schema specified in section 3.5.4.1.1.1. See section 3.6.4.1 for additional details regarding a successful binary response.

A successful response MUST return either true or false indicating the group membership status. The status MUST be false if the principal cannot be found or if none of the groups can be found. For an unsuccessful request, the server MUST return a fault code. This operation throws only Common Fault Codes for the RMS: Server-to-Server Protocol as specified in section 2.2.9.1.