Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m relatively new to using AD, and I’m using group memberships to control what features and functions are loaded/visible to a given user, both in web and desktop applications.
AD has security groups and distribution groups, and I’m using some of each to get fine-grained discrimination among roles.
What should be my concerns about using distribution groups in this way?
You might consider looking at AzMan (Authorization Manager).
It can be tied to active directory accounts and completely stored within AD. AzMan provides a lot more fine grained control over Roles and even Actions allowed. In short you would code your apps to test if the user is authorized for particular Actions. When creating Roles you would assign one or more actions to that role.
This would allow you to mix and match actions in various roles as necessary without having to change your code base. I’ve used it extensively and it’s pretty good.
The downside to just using regular AD groups is that you might end up with dozens or even hundreds (depending on the complexity of your apps) roles that pollute the AD space.
For example, let’s say you want to have a security check before allowing an account to be deleted. In AzMan you would create an AccountDelete action and assign that action to one or more roles like Administrator, Account Administrator, etc.
In AD you would have to create a new group altogether and assign it out. This gets very complicated very quickly.