Wednesday, 24 January 2018

Can and should user access permissions be stored in Active Directory?

I am currently looking at various designs of how to store user permissions, it is most likely I will choose on a Role Based Access Control (RBAC) and my original thought was to store the various role permissions in the database and in the application there would be an area that would allow an administrator to control the various user roles and role permissions. But some developers have mentioned to me not to do this and allow 'Active Directory' to control the various user permissions. This would mean that the access definitions (rules) would not need to be in the database and the control of these permissions do not need to be done in an application. I imagine the access enforcement to the various areas of the software e.g. Purchase Orders would still need to be controlled by the application and how the application interrogates the active directory permissions I still do not know.

The developers who have suggested doing this give the impression that it is possible and easier (saving time) than doing the access control using the database and application, although they have never done it themselves. Before I journey into how to develop for Active Directory, does anyone have experience of using it for access control for multiple areas of a Delphi application, and is this the direction access control is going for applications?   

2 comments:

  1. First of all, logins are to keep or import/refresh from AD via ADSI query.
    Keeping app rights at AD is up to you, and basically AD schema extensionis needed for that, which may not me desirable for some reasons, though you might just want to import membership/location or any other AD attribute from AD to judge user permissions on.
    ADExplorer should help searching for real attr names (not display name) for query.

    ReplyDelete
    Replies
    1. Thanks for the info about AD scheme extensions and AD Explorer. After a discussion with the other Developers it might not be as easy as they thought and for the time being it has been decided not to go down the AD path.

      Delete