Using Active Directory for authorization, or own system?
Question
I am building a website to only be used on my domain and I am trying to design a better login screen then I have used in the past. I have used a script to check if the user was in AD then grab their permissions level from an sql table and use that to drive the application. Would it be better to authenticate the same way but to use AD groups to drive what permissions a user does/does not have?
1 answers
solution1
0 ACCPTED 2017-06-07 20:22:29
This can only be answered by you. How fine-grained are the permissions you need? Is having an AD group like "Accounting", named after an actual department inside the organisation, specific enough? If not, how easily can you move users in and out of groups?
In short the pros and cons:
Active Directory authorization : good for letting large groups of users, who are already identified by an organizational unit, access course-grained functionality in your application. Less so for very fine-grained control, as it may be cumbersome having multiple AD groups be created in the organization where your application is going to run.
Application-specific role-based authorization (such as ASP.NET Identity): lets you as an application developer create groups and move users in and out of them. This is a negative point in and of itself: you, as a maintainer of the installed application, will have to maintain the users and groups, or instruct the client's applications manager's department how to do so, probably according with creating a UI for it.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.