A precursor: I’ve worked now in two enviroments with conflicting principals on this. I am outlining the competing ideas and would like to know which is ‘correct’ given the scenario described.
Scenario: Multiple applications exist on our intranet. We are implementing OpenSSO with LDAP as our authentication control and user directory. The issue comes to play is, with the LDAP authentication we know a user is allowed on the intranet but to which applications is questionable.
We intend to use LDAP to control what applications each user can access i.e. helpdesk, consultant review, report generator, survey creator etc.
The question arises in that, within each application are a significant amount of roles, and the fact that people may have multiple roles.
What is the best way to address this second area? Shoudl ALL roles be in the ldap or just the application allowances with each app database containing the more granular roles?
One approach is to use LDAP to maintain relatively high-level role information, but keep the very detailed application-specific information internal to each application.
For example, an individual might be members of LDAP groups (roles) like “employee”, “help desk associate”, “help desk supervisor”, etc., and then the individual applications would map the high-level roles into the application-specific functions. A particular high-level role might imply access to multiple applications, and different roles would have different levels of access.
For example, a “help desk associate” might be able to create tickets, but maybe only a supervisor can delete them or run reports.
This is one of those areas where there’s no one right answer. Centralizing everything in LDAP gives you better ability to report/audit individuals’ access, at the cost of complicating your central LDAP schema with a lot of application-specific data. Also, depending on what existing/commercial applications you’re trying to integrate, the applications may not support pulling all their fine-grained access information from LDAP.