LDAP for Application Access Control, how much should it control?
Asked Answered
M

1

7

A precursor: I've worked now in two enviroments with conflicting principals on this. I am outlining the competing ideas and would like to know which is 'correct' given the scenario described.

Scenario: Multiple applications exist on our intranet. We are implementing OpenSSO with LDAP as our authentication control and user directory. The issue comes to play is, with the LDAP authentication we know a user is allowed on the intranet but to which applications is questionable.

We intend to use LDAP to control what applications each user can access i.e. helpdesk, consultant review, report generator, survey creator etc.

The question arises in that, within each application are a significant amount of roles, and the fact that people may have multiple roles.

What is the best way to address this second area? Shoudl ALL roles be in the ldap or just the application allowances with each app database containing the more granular roles?

Medeiros answered 29/7, 2010 at 14:1 Comment(0)
C
5

One approach is to use LDAP to maintain relatively high-level role information, but keep the very detailed application-specific information internal to each application.

For example, an individual might be members of LDAP groups (roles) like "employee", "help desk associate", "help desk supervisor", etc., and then the individual applications would map the high-level roles into the application-specific functions. A particular high-level role might imply access to multiple applications, and different roles would have different levels of access.

For example, a "help desk associate" might be able to create tickets, but maybe only a supervisor can delete them or run reports.

This is one of those areas where there's no one right answer. Centralizing everything in LDAP gives you better ability to report/audit individuals' access, at the cost of complicating your central LDAP schema with a lot of application-specific data. Also, depending on what existing/commercial applications you're trying to integrate, the applications may not support pulling all their fine-grained access information from LDAP.

Casting answered 29/7, 2010 at 15:11 Comment(1)
Thanks for the input, this is largely the same idea I myself follow, I just wanted to make sure it was sound reasoning. I'm meeting some resistance on it (I'm looking ahead two years where we may have a 100 Apps, they look at now where we have 5 only) as people don't realize the complex ldap tree we may end up with if we put too much in it :).Medeiros

© 2022 - 2024 — McMap. All rights reserved.