A project I’m working on supposed to authenticate users agains AD. I’ve never worked with AD before, neither did I work in organizations that use AD, so here’s my stupid question: in case if AD involved, who manages roles, groups and users for application? Is it my responsibility to provide an UI for site admin to assign AD users to my app roles or AD admins should take care of creating appropriate groups expected by my app and assign existing AD users there?
What are the best practices in this department?
Once thing to note — this is not an in-house app, so it is supposed to work with an existing AD. The question is if my expects roles like ‘Teachers’ and ‘Students’ (just to illustrate the point), may I expect that IT people will create appropriate groups in AD and assign users to them?
I don’t think you should supply a Gui for active directory. Most organization that use active directory manage it with the standard active directory tools.
If you want to handle the case of small shops. Then make the groups internal to the application DB. You will still be able to use the active directory users. But the group management and membership will be internal to your application. This will avoid most problem of dealing with the complex rules of active directory, and still benefit from single sign on.
One more thing to note. The group names should be customizable. Most places have naming convention for group names.