> A better (read: more extensible) scheme would be create a single application > object for each application you wish to secure, and use the > ACLs on the objects to control access to the application. For instance, if the > application is domain specific, you might put the application object in the CN=Program > Data,DC=domain container. If it is an enterprise app, you might create a container > somewhere under CN=Services,CN=Configuration,... To check if someone has access to run > the app, just have the app read the obejct. If the app can read the object, the user can > run the app, otherwise not.
In a client-server based scenario, this is alright because the application can be seen to be running in the context of the logged-in user, and so the access privileges behave accordingly, as you mentioned. But would something like this work for web-based applications ? i.e. where a user just visits a URL to run the ASP code (executed on the server). Would the user's credentials be available just as the scenario above ? -Shshank QTC Management Inc. > > -gil > > -----Original Message----- > From: Sharma, Shshank [mailto:[EMAIL PROTECTED] > Sent: Tuesday, June 10, 2003 1:35 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Extending the Active Directory Schema > > > I am thinking about something similar, such as adding attributes like > allowAccessToApplicationX, allowAccessToApplicationY and so > on, for users. > > How easy is doing something like this, anyone ? > > ./Shshank > > -----Original Message----- > From: Pennell, Ronald B. [mailto:[EMAIL PROTECTED] > Sent: Tuesday, June 10, 2003 9:14 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Extending the Active Directory Schema > > > Has anyone extended the active directory to include the > employee number as a > displayed field? I understand that this field exists, but > not no attributes > has been set. I want to add the employee number in the > displayed items when > setting up the user account. > > Running W2K Sp3... > > Ron Pennell > [EMAIL PROTECTED] > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
